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About  This  Document 


About  This  Document 


This  document  is  Volume  10  of  the  OCTAVE-S  Implementation  Guide ,  a  10- volume 
handbook  supporting  the  OCTAVE-S  methodology.  This  volume  provides  complete  example 
scenario  of  a  fictitious  medical  facility,  MedSite,  and  the  results  of  its  OCTAVE-S 
evaluation.  Most  of  the  worksheets  showing  the  example  results  are  provided.  However,  the 
complete  worksheets  for  only  one  asset  (rather  than  five)  are  included. 

The  other  volumes  in  this  handbook  are 

•  Volume  1:  Introduction  to  OCTAVE-S  -  This  volume  provides  a  basic  description  of 
OCTAVE-S  and  advice  on  how  to  use  the  guide. 

•  Volume  2:  Preparation  Guidelines  —  This  volume  contains  background  and  guidance  for 
preparing  to  conduct  an  OCTAVE-S  evaluation. 

•  Volume  3:  Method  Guidelines  -  This  volume  includes  detailed  guidance  for  each 
OCTAVE-S  activity. 

•  Volume  4:  Organizational  Information  Workbook  -  This  volume  provides  worksheets  for 
all  organizational-level  information  gathered  and  analyzed  during  OCTAVE-S. 

•  Volume  5:  Critical  Asset  Workbook  for  Information  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  information. 

•  Volume  6:  Critical  Asset  Workbook  for  Systems  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  systems. 

•  Volume  7:  Critical  Asset  Workbook  for  Applications  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  applications. 

•  Volume  8:  Critical  Asset  Workbook  for  People  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  people. 

•  Volume  9:  Strategy  and  Plan  Workbook  -  This  volume  provides  worksheets  to  record  the 
current  and  desired  protection  strategy  and  the  risk  mitigation  plans. 

•  Volume  10:  Example  Scenario  -  This  volume  includes  a  detailed  scenario  illustrating  a 
completed  set  of  worksheets. 
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Abstract 


Abstract 


The  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation^  (OCTAVE®) 
approach  defines  a  risk-based  strategic  assessment  and  planning  technique  for  security. 
OCTAVE  is  a  self-directed  approach,  meaning  that  people  from  an  organization  assume 
responsibility  for  setting  the  organization’s  security  strategy.  OCTAVE-S  is  a  variation  of  the 
approach  tailored  to  the  limited  means  and  unique  constraints  typically  found  in  small 
organizations  (less  than  100  people).  OCTAVE-S  is  led  by  a  small,  interdisciplinary  team 
(three  to  five  people)  of  an  organization’s  personnel  who  gather  and  analyze  information, 
producing  a  protection  strategy  and  mitigation  plans  based  on  the  organization’s  unique 
operational  security  risks.  To  conduct  OCTAVE-S  effectively,  the  team  must  have  broad 
knowledge  of  the  organization’s  business  and  security  processes,  so  it  will  be  able  to  conduct 
all  activities  by  itself. 
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MedSite  Background 


1  MedSite  Background 


To  help  you  understand  how  to  complete  the  individual  steps  in  this  evaluation,  we  provide  an 
example  that  illustrates  how  each  step  was  conducted  by  personnel  in  a  fictitious  small  medical 
facility  called  MedSite.  The  first  two  sections,  including  this  one,  provide  background  on 
MedSite  and  a  commentary  about  how  the  evaluation  proceeded  at  MedSite.  The  rest  of  this 
document  consists  of  OCTAVE-S  worksheets  showing  the  results  achieved  by  the  MedSite 
analysis  team.  The  background  provides  the  necessary  context  to  understand  the  contents  of  the 
worksheets  and  should  be  read  in  conjunction  with  the  worksheets. 


1.1  MedSite  Description 

MedSite  is  a  hospital  with  several  clinics  and  labs,  some  of  which  are  at  remote  locations.  The 
hospital  includes  the  following  functional  areas: 

•  a  permanent  administrative  organization 

•  permanent  and  temporary  medical  personnel,  including  physicians,  surgeons,  and  medical 
staff 

•  permanent  and  temporary  maintenance  personnel,  including  facility  and  maintenance  staff 

•  a  small  information  technology  department  (three  people)  that  is  responsible  for  on-site 
computer  and  network  maintenance  and  upgrades  and  for  help  desk  activities  (e.g.,  handling 
simple  user  requests) 

1 .2  MedSite’s  Organizational  Structure 

The  MedSite  Administrator  is  the  chief  administrator  for  the  hospital.  The  chief  administrator  has 
a  small  staff  that  is  responsible  for  overseeing  operations  at  MedSite.  Each  major  functional  area 
of  the  organization  (administrative,  medical,  and  lab)  reports  directly  to  the  chief  administrator. 
MedSite’s  senior  management  team  includes  the  MedSite  Administrator  and  the  individuals  who 
lead  the  functional  areas  of  the  organization.  Each  functional  area  of  MedSite  contains  one  or 
more  operational  areas.  The  head  of  each  operational  area  is  considered  to  be  a  middle  manager  in 
the  organization.  Figure  1  shows  the  organizational  chart  for  MedSite. 
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1.3  MedSite’s  System 

MedSite’s  main  information  system  is  the  Patient  Information  Data  System  (PIDS).  PIDS  is  a 
distributed  database  application  and  system  software  with  a  dedicated  PIDS  server  on  a  shared 
network  accessed  by  both  dedicated  and  shared  desktop  personal  computers  (PCs).  The  shared 
components  support  a  variety  of  medical  applications  and  databases.  The  system  also  links  and 
integrates  a  set  of  smaller,  older  databases  related  to  patient  care,  lab  results,  and  billing. 

Patient  data  can  be  entered  into  PIDS  or  one  of  the  other  databases  at  any  time  from  any 
workstation.  Physicians,  administrative  clerks,  lab  technicians,  and  nurses  have  authorization  to 
enter  data  into  PIDS  as  well  as  the  other  systems.  Personal  computers,  or  workstations,  are 
located  in  all  offices,  treatment  rooms  (including  emergency  rooms),  nursing  stations,  and  labs.  In 
addition,  physicians  can  also  remotely  access  PIDS  using  their  home  personal  computers.  In  fact, 
there  is  talk  around  the  hospital  that  medical  personnel  will  soon  be  able  to  access  PIDS  using 
personal  digital  assistants  (PDAs). 


Figure  1:  High-Level  MedSite  Organizational  Chart 

An  independent  contractor,  ABC  Systems,  provides  support  for  most  of  the  systems  at  MedSite  as 
well  as  for  the  network.  MedSite’s  information  technology  (IT)  personnel  provide  day-to-day 
maintenance  under  the  training  and  direction  of  ABC  Systems  personnel.  MedSite  s  IT  staff  also 
support  the  help  desk  by  taking  calls  and  responding  to  immediate  needs.  The  IT  staff  members 
from  MedSite  provide  on-site  help  desk  support  and  basic  system  maintenance.  ABC  Systems 
provided  MedSite’s  IT  personnel  with  limited  systems  and  network  training  about  a  year  ago. 
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MedSite’s  senior  managers  decided  they  wanted  a  comprehensive  review  of  information  security 
within  their  facility.  Several  new  regulations  are  now  in  effect  (e.g.,  the  Health  Insurance 
Portability  and  Accountability  Act  [HIPAA]),  requiring  MedSite  to  document  the  results  of  an 
information  security  risk  evaluation.  The  regulations  also  require  MedSite  to  implement  a 
practice-based  standard  of  due  care.  After  some  discussion  and  consultation  with  other  medical 
facility  managers,  they  decided  to  use  OCTAVE-S. 

The  analysis  team  has  been  selected  and  trained.  The  core  analysis  team  members  are 

•  Alvarez  -  a  physician,  at  MedSite  for  five  years 

•  Green  —  assistant  manager  of  Administration,  at  MedSite  for  eight  years.  Green  will  lead  the 
analysis  team. 

•  Smith  -  senior  IT  staff  member,  at  MedSite  for  three  years 

•  Haley  -  lab  technician,  at  MedSite  for  four  years 


The  team  met  to  prepare  for  the  evaluation.  They  decided  to  scope  the  evaluation  to  include  the 
entire  organization  as  there  are  only  three  real  operational  areas  —  Administration,  Medical,  and 
the  Lab.  They  also  checked  with  colleagues  in  other  medical  facilities  to  locate  any  historical  data 
on  any  type  of  threats  that  they  might  be  willing  to  share  later  on  or  to  discuss  when  the  analysis 
team  needed  to  define  probability  evaluation  criteria.  Probability  is  required  by  some  regulations, 
and  the  team  felt  that  they  needed  to  try  to  use  some  form  of  qualitative  probability  during  risk 
analysis. 

As  this  was  their  first  use  of  OCTAVE-S,  they  decided  not  to  tailor  the  catalog  of  practices  or  the 
surveys  to  align  them  with  current  regulations,  such  as  HIPAA.  Instead,  after  the  evaluation,  they 
will  use  a  gap  analysis  to  determine  what  additional  actions  are  required  to  ensure  compliance 
and  to  protect  their  information-related  assets.  The  budget  for  security  improvements  over  the 
next  six  months  is  limited,  and  senior  managers  prefer  to  ensure  their  critical  assets  are  protected 
now  and  deal  with  any  additional  regulation  compliance  during  the  next  budget  cycle. 


1 .4  MedSite  Team’s  Experience 

MedSite’s  analysis  team  completed  the  evaluation  in  four  weeks  working  part  time.  This  section 
summarizes  the  team’s  activities,  its  decisions,  and  other  contextual  information  related  to  the 
evaluation.  As  you  review  the  results,  you  will  notice  that  we  provide  complete  results  for  only 
one  of  the  critical  assets. 
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1.4.1  Phase  1:  Build  Asset-Based  Threat  Profiles 

The  analysis  team  met  daily  over  the  course  of  one  week  to  finish  Phase  1 .  At  the  end  of  the 
week,  the  team  met  with  MedSite’s  senior  managers  to  review  the  impact  evaluation  criteria  and 
get  them  approved.  MedSite’s  senior  managers  decided  to  use  the  criteria  developed  by  the  team 
and  subsequently  review  the  results.  If  the  criteria  turned  out  to  be  too  vague  or  if  they  seemed  to 
skew  the  results,  senior  managers  reserved  the  right  to  revise  the  criteria  and  ask  the  team  to  re¬ 
evaluate  the  risks. 

1 .4.1 .1  Process  SI :  Identify  Organizational  Information 

Sl.l:  Establish  impact  evaluation  criteria  (Step  1) 

Using  the  Impact  Evaluation  Criteria  Worksheet  [p.  33],  the  analysis  team  defined  the  ranges  of 
possible  impacts  on  the  organization.  The  team  had  sufficient  information  on  the  nature  of 
impacts  caused  by  common  problems  and  emergencies,  and  it  used  this  information  as  the  basis 
for  setting  impact  measures  (high,  medium,  low)  across  multiple  impact  areas.  For  example, 
MedSite  is  a  very  successful  company,  with  more  than  75%  of  the  region  s  people  coming  to 
MedSite  for  medical  care.  MedSite  normally  sees  a  5-15%  fluctuation  in  patient  numbers  from 
month  to  month.  The  team  uses  this  information  to  determine  that  the  company  could  recover 
from  a  10%  drop  in  customers,  but  a  30%  drop  would  mean  a  serious  problem  that  could  be 
irreversible.  MedSite’s  budget  includes  a  2%  margin  for  unexpected  changes  in  operating  costs 
and  a  5%  margin  for  unexpected  changes  in  overall  revenue.  Insurance  covers  nearly  all  types  of 
losses  of  up  to  $250,000  and  many  items  up  to  $1  million  without  any  increase  in  premiums.  Any 
coverable  loss  of  more  than  $1  million  means  an  immediate  increase  in  premiums.  In  terms  of 
production,  minor  increases  (10%  for  a  few  days)  in  personnel  hours  happen  all  the  time  because 
of  accidents  and  unexpected  fluctuations  in  patient  needs.  A  high  increase  occurred  during  the 
previous  year  when  a  snowstorm  nearly  paralyzed  the  community.  Nearly  everyone  at  MedSite 
worked  an  additional  30%  for  a  3-day  period  to  make  up  for  lost  time.  The  team  also  determined 
that  any  loss  of  life  or  permanent  damage  to  patients  was  considered  unacceptable.  These  items 
were  incorporated  into  the  evaluation  criteria. 

SI. 2:  Identify  organizational  assets  (Step  2) 

The  analysis  team  used  its  knowledge  of  MedSite’s  systems  as  a  starting  point  for  identifying 
assets,  because  staff  members’  daily  tasks  were  tightly  integrated  with  the  systems  they  used. 
When  using  the  Asset  Identification  Worksheet  [p.  45]  to  identify  assets,  team  members  could  see 
how  much  information  actually  resided  on  MedSite’s  information  systems.  Patient  information, 
which  was  regulated  in  terms  of  privacy  and  security,  could  be  found  in  several  forms  including 
both  electronic  and  paper  files.  The  team  also  noticed  that  personal  computers  were  common  to 
all  systems  and  provided  a  conduit  to  all  important  electronic  information.  It  was  more  difficult 
for  the  team  to  identify  people-related  assets,  because  everyone  had  important  roles  at  MedSite. 
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Eventually,  the  team  decided  that  only  people  with  unique  skills  or  knowledge  that  could  not 
easily  be  replaced  would  be  documented  as  assets  during  the  evaluation.  They  were  essentially 
interested  in  identifying  single  points  of  failure  related  to  people.  For  example.  Smith  was  the 
only  IT  staff  member  with  networking  skills  and  was  thus  critical  to  day-to-day  operations. 
Likewise  the  people  at  ABC  Systems  were  also  identified  as  important  people-related  assets.  The 
staff  at  ABC  Systems  maintained  PIDS  for  MedSite,  and  it  would  be  difficult  to  find  any  other 
contracting  organization  that  could  easily  assume  this  responsibility  without  disrupting  MedSite’s 
operations.  In  addition,  ABC  Systems  was  also  in  the  midst  of  developing  the  replacement  for 
PIDS  (PIDS  II),  making  ABC  Systems  integral  to  the  future  operations  of  MedSite  as  well. 

S1.3:  Evaluate  organizational  security  practices  (Steps  3-4) 

The  team  used  the  Security  Practices  Worksheet  [p.  51]  to  document  the  current  state  and 
effectiveness  of  their  security  practices.  Team  members  discussed  each  survey  question  until  they 
arrived  at  a  consensus  (Step  3a)  about  the  extent  to  which  each  practice  was  present  at  MedSite. 
As  they  discussed  a  practice,  team  members  often  recorded  notes  about  particular  strengths  and 
weaknesses  (Step  3b)  related  to  that  practice.  Finally,  for  each  security  practice  area,  the  team 
assigned  it  a  stoplight  status  based  on  the  information  it  recorded  (Step  4).  The  team  was 
surprised  at  how  many  areas  were  assigned  red  and  yellow  statuses.  Team  members  did  not  assign 
a  green  status  to  any  of  the  security  practice  areas. 

The  team  noted  that  some  security  practices  were  performed  well  at  MedSite,  but  the  vast 
majority  were  not  executed  properly.  One  of  the  few  practices  performed  consistently  well  was 
documenting  and  revising  policies.  Because  MedSite’s  policies  were  audited  periodically, 
management  paid  particular  attention  to  this  practice  area.  Unfortunately,  medical  regulations  had 
not  specified  the  need  for  security  in  the  past,  and  MedSite’s  security-related  policies  were 
incomplete.  The  team  believed  that  physical  security  practices  were  adequate  and  assigned 
MedSite  a  yellow  status  for  physical  access  control.  However,  monitoring  and  auditing  physical 
security  was  assigned  a  red  status.  Team  members  were  also  concerned  that  the  Facilities 
Management  Group  was  so  independent  that  it  functioned  like  a  separate  entity,  providing  little 
communication  and  insight  into  its  actions.  After  discussing  the  Facilities  Management  Group’s 
physical  security  practices,  the  analysis  team  decided  to  add  an  additional  concern  to  the 
collaborative  security  management  security  practice  area. 

Because  ABC  Systems  maintained  and  controlled  PIDS  and  other  systems,  the  team  had  a 
difficult  time  answering  some  of  the  technology-based  survey  questions.  In  fact,  no  one  at 
MedSite  really  understood  what  ABC  Systems  was  doing,  driving  home  how  dependent  MedSite 
had  become  on  that  contracting  organization.  Team  members  were  also  becoming  increasingly 
concerned  over  the  in-progress  development  of  PIDS  II. 


CMU/SEI-2003-HB-003  Volume  10 


5 


MedSite  Background 


OCTAVE-S  V1.0 


Even  though  the  majority  of  answers  for  the  incident  management  area  were  negative,  this  was 
one  area  in  which  MedSite  had  a  good  set  of  documented  procedures.  The  procedures  were  a 
standard,  tested,  and  verified  set  provided  by  a  medical  society  to  which  MedSite  belonged.  As  a 
result,  the  team  gave  the  company  a  yellow  status  for  that  area. 

No  other  notes  or  action  items  resulted  from  Process  SI . 

1 .4.1 .2  Process  S2:  Create  Threat  Profiles 

S2.1:  Select  Critical  Assets  (Steps  5-9) 

Selecting  critical  assets  proved  to  be  less  difficult  that  the  analysis  team  expected.  The  team 
selected  the  following  critical  assets: 

•  PIDS  (Patient  Information  Data  System)  -  This  was  an  obvious  choice  for  the  team.  PIDS  is 
central  to  MedSite’s  medical  operations,  because  it  is  the  central  repository  for  patient- 
identifiable  information.  In  addition,  MedSite  must  comply  with  regulations  for  protecting 
the  privacy  of  and  securing  electronic  patient  information. 

•  Paper  medical  records  -  These  records  are  somewhat  less  important  than  PIDS,  because 
MedSite  is  trying  to  move  away  from  its  reliance  on  paper  medical  records.  However,  the 
migration  will  take  several  years.  In  the  meantime,  the  team  decided  that  paper  records  also 
constituted  a  critical  asset,  because  those  records  contain  patient-identifiable  information 
and  are  subject  to  privacy  regulations. 

•  ABC  Systems  -  MedSite  has  become  reliant  upon  the  information  technology  (IT)  services 
provided  by  ABC  Systems,  MedSite’s  main  IT  contractor.  ABC  Systems  maintains  PIDS  and 
other  systems  for  MedSite  and  is  also  developing  PIDS  II,  the  replacement  for  PIDS.  ABC 
Systems  was  an  obvious  choice  as  a  critical  asset  given  the  importance  of  PIDS,  PIDS  II, 
and  MedSite’s  ongoing  efforts  to  become  a  paperless  environment.  ABC  Systems  is  also 
typical  of  other  types  of  contracting  done  by  MedSite. 

•  Personal  computers  (PCs)  -  The  analysis  team  noted  that  personal  computers  were  common 
to  all  systems,  providing  a  conduit  to  all  important  electronic  information. 

•  ECDS  (Emergency  Care  Data  System)  -  This  system  was  selected  because  it  is 
representative  of  many  smaller  systems  used  at  MedSite. 

The  analysis  team  recorded  its  choices  for  critical  assets  on  the  Critical  Asset  Selection  Worksheet 
[p.  83].The  team  then  started  a  Critical  Asset  Workbook  for  each  critical  asset  (Step  6).  It  also 
recorded  its  rationale  for  selecting  each  asset  (Step  7)  as  well  as  who  uses  and  is  responsible  for 
each  critical  asset  (Step  8)  on  each  asset’s  Critical  Asset  Information  Worksheet  [p.  87]. 
Information  about  asset  relationships  had  already  been  recorded  on  the  Asset  Identification 
Worksheet  and  was  transcribed  to  the  Critical  Asset  Information  Worksheet  (Step  9). 
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S2.2:  Identify  security  requirements  for  critical  assets  (Steps  10-11) 


Team  members  discussed  which  qualities  of  each  asset  were  important  to  protect.  This  discussion 
resulted  in  the  identification  of  security  requirements  for  each  critical  asset,  which  were  recorded 
on  the  appropriate  Critical  Asset  Information  Worksheets  (Step  10)  [p.  87].  Selecting  the  most 
important  security  requirement  was  frequently  difficult,  requiring  significant  discussion.  For 
example,  team  members  spent  a  lot  of  time  discussing  which  security  requirement  for  PIDS  was 
most  important  (Step  11).  After  a  healthy  debate,  the  team  selected  availability  of  patient 
information  as  the  most  important  security  requirement  for  PIDS  because  the  health  and  safety  of 
patients  require  immediate  and  continuous  access  to  patient  information  on  PIDS.  Confidentiality 
was  also  considered  to  be  important,  but  it  lacked  the  life  and  health  implications  of  availability. 
Most  of  the  issues  surrounding  confidentiality  were  actually  related  to  regulations.  The  team 
decided  that  when  making  tradeoffs,  the  availability  of  medical  information  ultimately  trumped 
violations  of  privacy  laws. 

S2.3:  Identify  threats  to  critical  assets  (Steps  12  — 16) 

The  analysis  team  then  began  constructing  a  threat  profile  for  each  critical  asset,  recording  the 
profile  on  the  appropriate  Risk  Profile  Worksheets  [pp.  91  and  131].  Team  members  consulted  the 
appropriate  Threat  Translation  Guide  (Volumes  5-8)  to  ensure  they  actually  understood  the 
implied  threats.  For  PIDS  (using  Volume  6  for  systems  assets),  the  team  believed  that  all  of  the 
branches  for  the  human  actors  using  network  and  physical  access  trees  were  active,  non- 
negligible  threats  (Step  12).  Team  members  came  to  this  conclusion  based  on  their  experiences 
and  known  issues  related  to  network  and  physical  security.  The  team  believed  that  most  threats 
from  the  system  problems  category  would  typically  affect  only  the  availability  of  information  on 
PIDS.  The  exception  to  this  was  malicious  code,  which  could  result  in  any  outcome.  Threats  from 
the  other  problems  category  were  also  believed  to  affect  only  the  availability  of  PIDS. 

For  ABC  Systems,  the  nature  of  the  threats  was  quite  different,  because  it  is  a  different  type  of 
asset  (people)  than  PIDS  (system).  The  team  was  really  concerned  about  only  one  type  of  threat  - 
not  having  qualified,  timely  support  from  ABC  Systems  personnel.  This  was  the  only  threat  that 
the  team  recorded  for  ABC  Systems. 

For  PIDS,  the  team  identified  the  types  of  people  who  might  be  considered  threat  actors  (Step 
13).  The  team  documented  a  broad  range  of  potential  actors,  including  hackers,  disgruntled 
employees,  and  ABC  Systems’  personnel.  With  no  insight  into  how  ABC  Systems  handled  access 
to  confidential  information  or  violations  of  security,  the  team  was  concerned  about  the  potential 
threat  posed  by  that  contractor’s  employees.  Team  members  were  also  concerned  about  the  lax 
behavior  of  many  staff  members  at  MedSite,  especially  regarding  casual  and  loose  conversations 
about  patients.  Smith  acknowledged  that  the  limitations  of  space  and  funding  had  resulted  in 
extremely  tight  working  conditions  that  virtually  forced  most  admissions  staff  to  share  passwords 
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and  accounts  just  to  get  their  jobs  done  in  a  reasonable  amount  of  time.  Employees  constituted  a 
strong  source  of  a  range  of  accidental  incidents. 

With  the  exception  of  disgruntled  employees,  the  team  determined  that  the  motivation  of  insiders 
was  generally  low  (Step  14).  Outsiders’  motives  were  difficult  to  estimate,  but  the  team  did  feel 
that  being  a  small,  relatively  anonymous  medical  organization  made  MedSite  a  less  attractive 
target  for  outsiders.  The  team  decided  that  the  motives  of  outsiders  were  low. 

The  team  decided  to  talk  to  a  few  knowledgeable  staff  members  at  MedSite  and  ABC  Systems  to 
determine  the  known  history  for  some  of  the  threats  (Step  15).  ABC  Systems  had  some  data,  but 
they  were  not  comprehensive.  In  fact,  given  the  lack  of  tangible  data  produced  by  people  from 
ABC  Systems,  analysis  team  members  became  concerned  about  what  ABC  Systems  was  doing  to 
monitor  PIDS  and  other  systems.  The  team  member  with  information  technology  experience 
knew  enough  to  be  skeptical  of  ABC  Systems’  network  monitoring  practices.  The  team  recorded  a 
recommendation  to  the  Notes  and  Recommendations  Worksheet  [p.  17]  to  verify  what  ABC 
Systems  was  doing  to  monitor  MedSite’s  systems  and  networks.  The  team  also  marked  its 
confidence  in  this  historical  data  as  low. 

Specific  areas  of  concern  were  recorded  on  the  Risk  Profile  Worksheets  (Step  16)  [pp.  91  and  131] 
whenever  the  team  had  a  particular  example  or  historical  incident  relative  to  a  threat.  For 
example,  it  was  well-known  that  staff  members  occasionally  looked  up  patient  information  about 
their  friends  and  relatives,  violating  privacy.  In  addition,  the  physical  configuration  of  offices  and 
the  inclusion  of  workstations  in  patient  rooms  also  led  to  many  privacy  violations.  Alvarez 
mentioned  that  physicians  were  still  having  a  hard  time  remembering  to  log  off  PIDS  when  they 
left  a  treatment  room.  All  team  members  also  noted  PIDS’  notorious  history  of  failing  at 
inopportune  times.  Finally,  the  team  was  concerned  that  ABC  Systems  did  not  really  understand 
either  the  general  needs  of  a  medical  facility  or  the  effects  of  the  new  privacy  and  security 
regulations. 

All  actions  items  from  Process  S2  were  documented  on  the  Action  List  Worksheet  [p.  27]. 


1.4.2  Phase  2:  Identify  Infrastructure  Vulnerabilities 

The  analysis  team  met  daily  over  the  course  of  a  few  days  to  complete  Phase  2.  Team  members 
performed  a  cursory  examination  of  how  people  at  MedSite  accessed  critical  assets  via  the 
organization’s  networks.  The  team  also  reviewed  the  extent  to  which  security  was  considered 
when  configuring  and  maintaining  MedSite’s  computers  and  networks.  Because  people  at 
MedSite  had  little  insight  into  what  ABC  Systems  was  doing  to  configure  and  maintain  MedSite’s 
systems  and  networks,  the  team  decided  to  record  a  recommendation  (see  Notes  and 
Recommendations  Worksheet  [p.  17]).  The  recommendation  called  for  MedSite’s  IT  staff  to  work 


8 


CMU/SEI-2003-HB-003  Volume  10 


OCTAVE-S  V1.0 


MedSite  Background 


more  closely  with  ABC  Systems  after  the  evaluation  to  communicate  MedSite’s  security 
requirements  to  ABC  Systems  and  to  verify  that  those  requirements  were  being  met. 

1. 4.2.1  Process  S3:  Examine  the  Computing  Infrastructure  in  Relation 

to  Critical  Assets 

S3.1:  Examine  access  paths  (Steps  17  - 18) 

The  analysis  team  used  the  Network  Access  Paths  Worksheet  [p.  1 39]  as  it  reviewed  how  people 
accessed  MedSite’s  critical  assets.  The  team  noted  that  PIDS  was  its  own  system  of  interest  (Step 
17).  It  also  noted  that  ECDS  was  its  own  system  of  interest,  while  PCs  included  all  major  systems 
as  their  systems  of  interest.  Neither  ABC  Systems  nor  the  paper  medical  records  were  reviewed 
during  this  phase,  because  network  attacks  are  irrelevant  to  these  types  of  assets. 

For  PIDS,  the  analysis  team  identified  key  classes  of  components  that  were  part  of  or  related  to 
PIDS.  This  activity  included  a  cursory  examination  of  internal  and  external  access  points  for 
PIDS  (Step  18).  Team  members  had  different  views  of  what  constituted  the  PIDS  system.  After 
much  discussion,  they  agreed  that  PIDS  included  server  A  and  on-site  workstations  (Step  18a). 
They  then  looked  at  how  people  typically  accessed  PIDS.  The  team  determined  that  people  used 
on-site  workstations,  laptops,  PDAs,  and  home  workstations  to  access  PIDS  (Step  18c).  The  team 
decided  that  intermediate  access  points  included  both  internal  and  external  networks  (Step  1 8b) 
and  that  PIDS  information  was  stored  both  locally  and  off-site  (Step  18d).  Finally,  the  team 
determined  that  other  systems,  most  notably  ECDS  and  the  Financial  Record  Keeping  System 
(FRKS),  also  automatically  accessed  information  from  PIDS  (Step  18e). 


S3.2:  Analyze  technology-related  processes  (Steps  19  -  21) 

This  activity  requires  an  analysis  team  to  assume  an  infrastructure  point  of  view  when  analyzing 
information.  MedSite’s  team  documented  the  key  classes  of  components  (Step  19a)  and  then 
noted  which  critical  assets  were  related  to  each  key  class  (Step  19b).  The  team  then  determined 
who  was  responsible  for  maintaining  and  securing  each  key  class  (Step  20).  Where  MedSite’s 
own  IT  personnel  were  responsible  for  day-to-day  operations,  they  could  make  an  estimate  of 
how  secure  the  component  classes  were  (Step  21).  Many  classes,  however,  were  maintained  by 
ABC  Systems,  and  the  level  of  security  for  those  classes  was  unknown.  The  analysis  team 
recorded  this  information  on  the  Infrastructure  Review  Worksheet  [p.  143]. 


Overall,  the  security  of  most  classes  of  components  was  not  consistently  known.  The  team 
recorded  some  general  recommendations  to  pursue  the  relationship  with  ABC  Systems  and  work 
towards  more  formal  vulnerability  testing  with  them  on  the  Notes  and  Recommendations 
Worksheet  [p.  17]. 
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Finally,  the  team  reviewed  the  Risk  Profiles  for  PIDS,  ECDS,  and  PCs  [pp.  91  and  131]  as  well  as 
the  Security  Practices  Worksheet  [p.  51],  looking  to  refine  information  on  those  worksheets  based 
on  the  team’s  Phase  2  analysis.  Team  members  decided  there  were  no  changes  to  the  threat  trees, 
just  more  validation  for  the  concerns  already  identified.  They  did  add  an  additional  area  of 
concern  on  the  Risk  Profile  Worksheet  (Step  16)  [p.  131]  about  ABC  Systems  personnel  not  only 
having  access  to  patient  information  but  also  being  able  to  destroy  it. 

The  IT  team  member  also  brought  up  the  concern  that  what  he  observed  on  a  daily  basis  did  not 
support  ABC  Systems’  statements  that  it  kept  up  with  vulnerability  testing  and  patches.  The  team 
recorded  this  observation  on  the  Security  Practices  Worksheet  [p.  51]  as  an  example  of  what 
MedSite’s  contractor  was  not  doing  well. 

No  other  action  items,  notes,  or  recommendations  from  Process  S3  were  identified. 


1.4.3  Phase  3:  Develop  Security  Strategy  and  Plans 

The  analysis  team  added  an  additional  team  member  to  help  with  the  development  of  mitigation 
plans  in  Process  S5.  The  new  team  member  had  a  lot  of  expertise  in  problem  solving  as  well  as 
developing  plans,  budgets,  and  schedules  for  MedSite.  To  ensure  that  she  developed  an 
understanding  of  the  evaluation,  the  new  team  member  observed  Process  S4. 

1. 4.3.1  Process  S4:  Identify  and  Analyze  Risks 

S4.1:  Evaluate  impact  of  threats  (Step  22) 

The  analysis  team  used  the  Impact  Evaluation  Criteria  [p.  33]  they  developed  during  Process  SI 
to  evaluate  the  impacts  of  the  threats  on  the  organization.  The  team  recorded  all  impact  values  on 
the  Risk  Profile  Worksheets  [pp.  91  and  131].  Team  members  considered  the  health  and  safety  of 
patients  to  be  the  most  important  criteria,  with  the  remaining  criteria  all  being  equal  to  each  other. 
The  team  had  some  difficulty  estimating  the  impacts  to  productivity  and  reputation  for  a  few  of 
the  threats  and  decided  to  get  additional  help.  Team  members  identified  key  people  with 
experience  in  legal  matters,  public  relations,  and  nursing  to  help  the  team  estimate  the  values  for 
certain  threats.  Together,  they  all  reviewed  each  area  of  concern  and  talked  about  the  types  of 
specific  actions  that  would  have  to  be  taken  to  deal  with  a  realized  threat,  providing  a  basis  for 
estimating  the  actual  level  of  impact  (high,  medium,  low).  In  particular,  team  members  looked  for 
any  threats  that  might  result  in  physical  harm  or  death  to  patients.  The  team  also  noted  on  the 
Notes  and  Recommendations  Worksheet  [p.  17]  that  the  evaluation  criteria  should  be  more 
broadly  reviewed  and  approved  by  management. 
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S4.2:  Establish  probability  evaluation  criteria  (Step  23) 

The  team  defined  MedSite’s  probability  evaluation  criteria  using  the  Probability  Evaluation 
Criteria  Worksheet  [p.  149].  It  relied  on  its  experience  and  expertise  as  well  as  the  limited 
historical  information  it  had  for  threats.  Team  members  reviewed  the  known  histories  of  threats 
recorded  on  the  Risk  Profile  Worksheets  [pp.  91  and  131]  when  setting  probability  measures 
(high,  medium,  low).  When  defining  the  criteria,  the  team  also  referenced  historical  data  about 
certain  types  of  threats  commonly  used  by  other  medical  organizations  when  assessing  risk. 


S4.3:  Evaluate  probabilities  of  threats  (Step  24) 

Using  the  Probability  Evaluation  Criteria  [p.  149],  the  team  evaluated  the  probability  of  each 
active  threat  occurring  by  using  the  contextual  information  they  had  previously  recorded  on  the 
Risk  Profile  Worksheets  (Steps  13-16)  [pp.  91  and  131].  Because  they  had  low  confidence  in  their 
historical  estimations  for  network-based  threats,  team  members  lacked  confidence  in  their 
probability  estimates  for  those  types  of  threats.  However,  for  a  few  threats,  such  as  unauthorized 
insiders  accidentally  viewing  information  via  systems  and  networks,  team  members  were  quite 
confident  that  the  probability  was  high  because  of  the  known  history  of  such  actions.  Because  it 
had  minimal  confidence  in  many  of  its  probability  estimates,  the  team  decided  to  use  probability 
only  as  a  tie-breaker  when  selecting  risks  for  mitigation.  Impact  would  be  the  primary  decision¬ 
making  driver.  The  team  recorded  estimates  for  probability  for  all  active  risks  on  the  Risk  Profile 
Worksheets  [pp.  91  and  131]. 

No  additional  actions,  notes,  or  recommendations  were  identified  during  Process  S4. 

1. 4.3.2  Process  S5:  Develop  Protection  Strategy  and  Mitigation  Plans 

S5.1:  Describe  current  protection  strategy  (Step  25) 


The  analysis  team  reviewed  the  Security  Practices  Worksheet  [p.  51]  that  it  completed  earlier  in 
the  evaluation.  Team  members  transcribed  the  stoplight  status  for  each  area  to  the  Protection 
Strategy  Worksheets  [p.  153].  They  then  discussed  the  current  practices  and  vulnerabilities 
identified  in  each  practice  area.  The  team  noted  that  the  protection  strategy  and  the  security 
practices  survey  examine  two  different  facets  of  security  practice  areas.  The  protection  strategy 
describes  the  processes  used  to  perform  activities  in  each  security  practice  area,  focusing  on  the 
extent  to  which  processes  are  formally  defined.  On  the  other  hand,  the  stoplight  status  on  the 
security  practices  survey  indicates  how  well  the  team  believes  its  organization  is  performing  in 
each  area.  Team  members  noted  that  an  organization  could  be  performing  very  well  in  an  area, 
but  have  very  informal  processes.  Likewise,  an  organization  could  have  significant  room  for 
improvement  despite  having  very  formal  policies  and  procedures.  They  defined  the  current 
protection  strategy  for  the  organization  and  recorded  the  results  on  the  Protection  Strategy 
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Worksheets  [p.  153].  The  protection  strategy,  along  with  stoplight  status  information,  provided 
team  members  with  a  broad  view  of  MedSite’s  overall  approach  to  security  and  the  extent  to 
which  it  was  working. 


S5.2:  Select  mitigation  approaches  (Steps  26  -  27) 

The  team  transcribed  the  stoplight  statuses  from  the  Security  Practices  Worksheet  [p.  51]  to  the 
Risk  Profile  Worksheets  (Step  26)  [pp.  91  and  131],  illustrating  the  current  status  of  each  security 
practice  area  in  relation  to  the  active  risks.  Before  proceeding,  the  analysis  team  needed  to  agree 
upon  the  criteria  for  making  decisions.  Team  members  decided  that  they  would  look  to  mitigate 
risks  meeting  the  following  criteria: 

•  risks  affecting  the  health  and  safety  of  MedSite’s  patients  (i.e.,  risks  with  a  high  impact 
value  for  the  “Safety”  impact  area).  Reputation  and  financial  impacts  were  considered 
to  be  secondary  factors. 

•  risks  affecting  the  most  important  security  requirement  (Step  10)  of  the  asset  (e.g., 
availability  of  PIDS) 

•  risks  linked  to  specific  areas  of  concern  about  the  asset 

Because  it  had  little  confidence  in  many  if  its  probability  estimates,  the  team  decided  to  use 
probability  as  a  tie-breaker  when  comparing  two  similar  risks.  Team  members  reviewed  the  Risk 
Profile  Worksheet  for  each  critical  asset  [pp.  91  and  131],  focusing  on  potential  impacts  of  risks  in 
relation  to  stoplight  statuses.  The  analysis  team  was  initially  overwhelmed.  It  had  assigned  nine 
security  practice  areas  “red”  stoplight  statuses  and  six  security  practice  areas  “yellow”  stoplight 
statuses.  However,  the  team  did  not  assign  a  “green”  stoplight  status  to  any  area.  Based  on  its 
decision-making  criteria,  the  team  looked  across  all  critical  assets  and  decided  which  nsks  it 
would  mitigate.  Next  it  decided  which  risks  it  could  accept.  All  remaining  risks  were  designated 
to  be  deferred  and  revisited  at  a  later  date.  The  analysis  team  decided  to  recommend  (on  the  Notes 
and  Recommendations  Worksheet  [p.  17])  that  all  deferred  risks  be  looked  at  again  a  month  after 
the  end  of  the  evaluation. 

To  mitigate  the  risks,  the  team  selected  the  following  security  practice  areas  as  mitigation  areas: 

•  Security  Awareness  and  Training  -  The  analysis  team  believed  that  their  security 
awareness  training  did  not  adequately  prepare  personnel  to  handle  the  day-to-day 
security  issues  that  arise.  Improving  this  area  should  reduce  the  accidental,  inside 
threat  sources. 

•  Collaborative  Security  Management  -  ABC  Systems  provided  support  for  managing  the 
network  and  most  of  the  systems  at  MedSite,  including  PIDS.  ABC  Systems  also 
conducted  periodic  vulnerability  evaluations  of  MedSite’s  computing  infrastructure. 
The  analysis  team  was  concerned  about  MedSite’s  procedures  for  working  with  ABC 


12 


CMU/SEI-2003-HB-003  Volume  10 


OCTAVE-S  V1.0 


MedSite  Background 


Systems.  The  team  believed  that  ABC  Systems  might  not  be  meeting  MedSite’s 
information  security  requirements.  Many  unanswered  questions  and  ambiguities  arose 
during  Process  S3,  so  the  team  recommended  that  MedSite  review  and  revise  its 
procedures  for  working  with  ABC  Systems.  With  respect  to  physical  security,  the 
Facilities  Management  Group  was  responsible  for  physically  securing  MedSite’s 
building.  No  one  at  MedSite  has  been  formally  working  with  the  staff  from  Facilities 
Management  group.  Because  of  this,  the  team  recommended  that  the  organization 
review  and  revise  procedures  for  working  with  the  Facilities  Management  Group. 

•  Monitoring  and  Auditing  Physical  Security  -  There  was  some  concern  by  team  members 
that  physical  security  problems  existed  at  MedSite  and  were  not  being  handled  by  the 
Facilities  Management  Group.  The  team  identified  several  risks  with  potentially  high 
impact  to  the  health  and  safety  of  patients  based  on  physical  access  by  internal  and 
external  threat  actors.  The  team  decided  that  practices  related  to  Physical  Access 
Control  were  adequate.  However,  practices  related  to  Monitoring  and  Auditing  Physical 
Security  required  significant  improvement.  For  this  reason,  Monitoring  and  Auditing 
Physical  Security  was  selected  as  a  mitigation  area.  However,  because  third  parties  were 
involved  in  monitoring  and  auditing  physical  security  for  MedSite,  there  was  some 
overlap  with  the  Collaborative  Security  Management  security  practice  area. 

•  Authentication  and  Authorization  -  MedSite  was  not  using  a  consistent  means  of 
controlling  access  to  its  systems  and  networks  (e.g.,  role-based  management  of 
accounts).  Staff  members  inherited  far  too  many  access  privileges  over  time.  The  team 
was  concerned  about  the  potential  consequences  of  these  issues.  For  example, 
disgruntled  staff  members  could  abuse  this  increased  access  to  affect  the  availability  of 
PIDS  or  to  modify  medical  information. 

The  team  documented  its  rationale  for  selecting  each  area  on  the  Notes  and  Recommendations 
Worksheet  [p.  17].  It  also  circled  mitigation  areas  on  the  appropriate  Risk  Profile  Worksheets  [pp. 
91  and  131]  that  reduce  risks  designated  as  “mitigate.”  Despite  its  own  earlier  recommendation  to 
look  at  Vulnerability  Management  as  a  mitigation  area,  the  team  decided  that  the  improvements  in 
the  Collaborative  Security  Management  area  could  mitigate  a  greater  number  of  risks  related  to 
the  computing  infrastructure  than  could  improvements  in  Vulnerability  Management. 


S5.3:  Develop  risk  mitigation  plans  (Step  28) 

The  team  developed  mitigation  plans  for  each  selected  area  using  the  Mitigation  Plan  Worksheets 
[p.  181].  The  plan  for  each  selected  security  practice  area  includes  specific  activities  designed  to 
mitigate  specified  risks.  Some  of  the  mitigation  activities  were  quite  broad  in  nature.  For 
example,  one  mitigation  activity  indicated  that  periodic  security  awareness  training  should  be 
provided  for  all  employees  once  a  year.  Other  mitigation  activities  were  more  focused  in  nature. 
For  example,  one  mitigation  activity  specified  that  IT  staff  members  receive  training  in  particular 
technologies.  This  activity  did  not  address  training  across  all  technologies,  only  for  a  selected 
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few.  As  it  defined  each  mitigation  activity,  the  team  also  recorded  its  rationale  for  that  particular 
activity  (what  was  it  mitigating  or  improving),  who  should  be  responsible  for  the  activity,  and  any 
additional  management  action  that  might  be  required  to  implement  that  activity. 


S5.4:  Identify  changes  to  protection  strategy  (Step  29) 

The  analysis  team  reviewed  the  Protection  Strategy  Worksheets  [p.  153]  to  note  any  changes 
triggered  by  mitigation  activities.  For  example,  the  mitigation  activity  that  called  for  security 
awareness  training  for  all  employees  once  a  year  triggered  a  change  in  MedSite  s  protection 
strategy.  The  protection  strategy  previously  required  security  awareness  training  only  for  new 
employees.  On  the  other  hand,  the  mitigation  activity  that  specified  training  in  particular 
technologies  for  IT  staff  members  did  not  trigger  a  change  in  MedSite’s  protection  strategy 
because  the  activity  did  not  address  training  for  all  technologies.  This  activity  simply  improved 
how  one  aspect  of  MedSite’s  protection  strategy  was  implemented. 

Next,  the  team  reviewed  the  protection  strategy,  looking  for  any  additional  changes  to  the  strategy 
that  it  wanted  to  make.  It  immediately  focused  on  the  Security  Policies  and  Regulations  area. 
MedSite  had  a  partial  set  of  documented  security-related  policies.  Because  MedSite  would  soon 
be  required  to  comply  with  new  data  security  regulations,  the  team  decided  that  procedures  for 
complying  with  those  regulations  would  need  to  be  created.  It  marked  that  change  to  the 
protection  strategy.  Team  members  also  noted  that  while  some  security-related  policies  existed, 
few  staff  members  understood  them.  Since  security  awareness  training  was  already  being 
updated,  the  team  decided  to  include  information  about  MedSite  s  security  policy  in  that  training. 
Finally,  the  team  decided  to  address  policy  enforcement.  Even  if  people  knew  about  and 
understood  MedSite’s  security  policy,  their  behaviors  would  change  only  if  they  also  knew  that 
management  was  enforcing  that  policy.  Thus,  the  team  decided  that  procedures  for  enforcing 
MedSite’s  policy  needed  to  be  created.  The  team  then  developed  a  mitigation  plan  to  implement 
the  changes  to  the  Security  Policies  and  Regulations  area.  In  the  rationale  area  for  each  mitigation 
activity,  the  team  noted  that  these  activities  were  driven  by  general  concerns  and  regulations, 
rather  than  by  specific  risks. 

The  analysis  team  also  identified  the  following  two  action  items  during  Process  S5,  documenting 
them  on  the  Action  List  Worksheet  [p.  27]: 


•  Resend  basic  security  policy  reminders.  The  IT  department  had  sent  emails  to  all  staff  in 
the  past  regarding  basic  security  policy  issues.  Because  improving  MedSite’s  security 
awareness  and  training  program  was  seen  as  a  long-term  initiative,  this  action  item 
provided  a  short-term  awareness  mechanism  without  much  investment. 

•  Change  the  physical  configuration  of  the  admissions  office.  One  of  the  physical  security 
problems  identified  during  the  evaluation  was  the  physical  configuration  of  the 
admissions  area.  Most  workstations  were  directed  toward  public  areas,  where  patients 
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and  staff  could  see  medical  information  on  the  screens  of  those  workstations.  To  protect 
the  privacy  of  medical  and  admissions  information,  the  analysis  team  decided  to 
recommend  changing  the  configuration  of  the  admissions  office  to  ensure  that 
workstations  could  not  be  easily  seen  by  people  passing  through  the  admissions  area. 

S5.5:  Identify  next  steps  (Step  30) 

Using  the  Next  Steps  Worksheet  [p.  195],  the  team  identified  several  items  required  to  support 
implementation  of  OCTAVE-S  results.  First,  senior  management  needed  to  make  information 
security  a  priority  and  not  a  back-burner  issue.  Second,  adequate  funding  to  implement  the 
mitigation  plans,  protection  strategy  changes,  and  action  items  needed  to  be  allocated.  The  team 
also  noted  that  the  following  items  would  need  to  be  completed  within  the  next  month. 

•  People  who  had  been  assigned  responsibility  for  implementing  a  mitigation  plan  will 
provide  a  detailed  implementation  plan  for  review. 

•  All  deferred  risks  will  be  reviewed. 

•  The  analysis  team  will  compare  the  security  practice  surveys  to  regulations  (including 
HIPAA)  to  determine  if  there  are  any  additional  practices  that  need  to  be  added  or 
improved  to  comply  with  current  regulations. 

The  team  also  recommended  conducting  another  OCTAVE-S  evaluation  in  about  12-18  months, 
providing  sufficient  time  to  implement  the  recommendations  from  the  evaluation  it  had  just 
completed. 
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Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 

recommendation 

relevant? 

We  need  a  way  to  determine  what  ABC  Systems  is  doing  to  monitor  for 
external  attacks.  This  may  require  a  contractual  discussion. 

Step  15 

Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 

recommendation 

relevant? 

We  need  a  more  formal  or  increased  communication  with  ABC  Systems. 

Step  21 
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Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 

recommendation 

relevant? 

The  ability  to  manage  vulnerabilities  should  be  a  candidate  for  a  risk 
mitigation  plan  in  Phase  3.  This  may  also  be  more  of  ABC  Systems' 
responsibility  than  ours. 

Step  27 

Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 

recommendation 

relevant? 

Security  Awareness  and  Training  is  selected  as  a  mitigation  area. 

Rationale:  MedSite's  security  awareness  training  does  not  adequately 
address  the  security  issues  that  staff  members  face  on  a  daily  basis. 
Improving  this  area  would  help  to  address  several  risks  with  a  high 
safety  impact  linked  to  accidental  actions  by  staff  members. 

Step  27 
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Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 

recommendation 

relevant? 

Collaborative  Security  Management  is  selected  as  a  mitigation  area. 

Rationale:  ABC  Systems  provides  support  for  managing  the  network 
and  most  of  the  systems  at  MedSite,  including  PIDS.  ABC  Systems 
also  conducts  periodic  vulnerability  evaluations  of  MedSite's  computing 
infrastructure.  ABC  Systems  might  not  be  meeting  MedSite's 
information  security  requirements.  Since  ABC  Systems  plays  such  a 
vital  role  in  configuring,  maintaining,  and  securing  MedSite's  computing 
infrastructure,  procedures  for  working  with  ABC  Systems  should  be 
reviewed  and  revised. 

Steo  27. 

Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 

recommendation 

relevant? 

Monitoring  and  Auditing  Physical  Security  is  selected  as  a  mitigation 

area. 

Rationale:  There  is  concern  that  physical  security  problems  exist  at 
MedSite.  The  team  identified  several  risks  with  potentially  high 
impact  to  the  health  and  safety  of  patients  based  on  physical  access 
by  internal  and  external  threat  actors.  However,  the  team  does  not 
have  enough  information  to  determine  exactly  how  to  address  the 
issue.  Conducting  a  physical  security  audit  will  characterize  the  extent 
of  the  problem. 

Step  27 
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Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 

recommendation 

relevant? 

Authentication  and  Authorization  is  selected  as  a  mitigation  area. 

Rationale:  MedSite  is  currently  not  using  role-based  management  of 
accounts.  In  addition,  staff  members  inherit  far  too  many  access 
privileges  over  time.  The  team  is  concerned  about  the  potential 
consequences  of  these  issues.  For  example,  disgruntled  staff  members 
could  abuse  this  increased  access  to  modify  information. 

Step  27 

Recommendation 

What  recommendations  do  you  want  to  record? 

For  which  step  is  this 
recommendation 

relevant? 

Look  at  all  deferred  risks  again  in  30  days. 

Step  26 
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Action  Item  j 

What  actions  do  you  intend  to  take? 

For  which  step  is 

this  action  item 

Assign  an  identification  number  to  each  action  item. 

relevant? 

Ask  ABC  systems  what  other  medical-related  customers 

Step  13 

ID# 

1 

they  have  and  if  we  could  talk  to  them. 

Action  Item 

What  actions  do  you  intend  to  take? 

Assign  an  identification  number  to  each  action  item . 

For  which  step  is 

this  action  item 

relevant? 

ID# 

2 

Look  for  other  vendors  in  this  vicinity  who  could  be 
candidates  for  taking  over  our  systems  should  we  need 
an  alternative  vendor.  Check  medical  conferences  and 
society  meetings/seminars. 

Step  13 
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Responsibility: 


Completion  Date: 


Additional 

Support: 


Responsibility: 


Completion  Date: 


Additional 

Support: 


Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below. 

Who  is  responsible  for  completing  the  action  item? 

Administration  -  contract  manager 

By  when  must  the  action  item  be  completed? 

Within  the  next  2  weeks 

What  additional  support  (by  management  or  others)  is  required  to  complete  the 

action  item? 

I  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below. 

Who  is  responsible  for  completing  the  action  item? 

Analysis  team  members  and  a  few  others  who  attend  conferences 
and  seminars. 

By  when  must  the  action  item  be  completed? 

Within  the  next  6  months 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 
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Responsibility: 


Completion  Date: 


Additional 

Support: 


Responsibility: 


Completion  Date: 


Additional 

Support: 


Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below . 

Who  is  responsible  for  completing  the  action  item? 

IT  Group 

By  when  must  the  action  item  be  completed? 

Within  the  next  2  weeks 

What  additional  support  (by  management  or  others)  is  required  to  complete  the 

1  action  item? 

I  MedSite's  CIO  needs  to  approve  this  action  item  and  assign  it  to  1 

|  someone  in  the  IT  group. 

_ 1 

Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below. 

Who  is  responsible  for  completing  the  action  item? 

Facilities  Management 

By  when  must  the  action  item  be  completed? 

Within  the  next  month 

1  What  additional  support  (by  management  or  others)  is  required  to  complete  the  1 

1  action  item? 

I  MedSite's  management  team  needs  to  approve  this  action  item  j 

|  and  assign  it  to  the  Facilities  Management  Group. 

_ 1 
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4  Impact  Evaluation  Criteria  Worksheet 


Step  1 
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|  Reputation/Customer  Confidence  1 

Impact  Type 

Low  Impact 

Reputation 

Reputation  is  minimally  effected;  little  or  no 
effort  or  expense  is  required  to  recover. 

Customer  Loss 

Less  than _ 10 _ %  reduction  in  customers 

due  to  loss  of  confidence 

Other: 

Other: 
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Reputation/Customer  Confidence 

Medium  Impact 

High  Impact 

Reputation  is  damaged,  and  some  effort  and 
expense  is  required  to  recover. 

Reputation  is  irrevocably  destroyed  or 
damaged. 

10  to  30  %  reduction  in  customers 

due  to  loss  of  confidence 

More  than  30  %  reduction  in  customers 

due  to  loss  of  confidence 

. . . . — . . . . . . 
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Financial 


Impact  Type 


Operating  Costs 


Revenue  Loss 


Low  Impact 


Increase  of  less  than _ 2 _ %  in  yearly 

operating  costs 


Less  than _ 5 _ %  yearly  revenue  loss 


One-Time  Financial  Loss 


One-time  financial  cost  of  less  than 

$  250  000_ 


Other: 


Impact  Evaluation  Criteria  Worksheet 


Financial 

Medium  Impact 

High  Impact 

Yearly  operating  costs  increase  by  2  to 

15  _% 

Yearly  operating  costs  increase  by  more  than 

15  % 

5  to  20  %  vearlv  revenue  loss 

Greater  than  20  %  yearly  revenue  loss 

One-time  financial  cost  of  $  250 .000  _ 
to$  1  million  _ 

One-time  financial  cost  greater  than 

$_1  million  _ 
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Productivity 


Medium  Impact 

High  Impact 

Staff  work  hours  are  increased  between 

10  %  and  30  %  for -  to  .  2 

Staff  work  hours  are  increased  by  greater  than 
30  %  for - to  2  davfs). 

day(s). 
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Safety/Health 


Impact  Type 

Low  Impact 

Life 

patients' 

No  loss  or  significant  threat  to  customers’  or  staff 
members1  lives 

Health 

Minimal,  immediately  treatable  degradation  in 
customers*  or  staff  members1  health  with 
recovery  within  four  days  pGtl6ntS 

Safety 

Safety  questioned 

Other : 

• 

An 
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Safety/Health 

Medium  Impact 

High  Impact 

Patients' 

Customers’  or  staff  members’  lives  are 
threatened,  but  they  will  recover  after 
receiving  medical  treatment. 

patients' 

Loss  of  customers’  or  staff  members’  lives 

Temporary  or  recoverable  impairment  of 

Permanent  impairment  of  significant  aspects 
of  customers'  or  staff  members-  health 

customers  or  stan  memoere-  neaiui 

patients' 

patients' 

Safety  affected 

Safety  violated 
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Impact  Type 

Low  Impact 

Fines 

Fines  less  than  $  10 ,000 _ are  levied. 

Lawsuits 

Non-frivolous  lawsuit(s)  less  than 

$  100,000 _  are  filed  against  the 

organization  or  frivolous  lawsuit(s)  are  filed 
against  the  organization. 

Investigations 

No  queries  from  government  or  other 
investigative  organizations. 

Other: 

Impact  Evaluation  Criteria  Worksheet 


Fines/Legal  Penalties 

Medium  Impact 

High  Impact 

Fines  between  $  10,000 _ and 

$  100 ,000 _ are  levied. 

Fines  greater  than  $  100 ,000 _ are  levied. 

Non-frivolous  lawsuit(s)  between 

$  100 ,000  and  $  1  m  i  1 1  ion  _is 

filed  against  the  organization. 

Non-frivolous  lawsuit(s)  greater  than 

$  1  million _ is  filed  against  the 

organization. 

Government  or  other  investigative 
organization  requests  information  or  records 
(low  profile). 

Government  or  other  investigative 
organization  initiates  a  high-profile,  in-depth 
investigation  into  organizational  practices. 
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5  Asset  Identification  Worksheet 


Step  2 
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Information,  Systems,  and  Applications 


System 

Information 

What  systems  do  people  in  your  organization  need 
to  perform  their  jobs? 

What  information  do  people  in  your  organization 
need  to  perform  their  jobs? 

Patient  Information  Data 

System  (PIDS) 

-  patient  medical  information 

Financial  Record  Keeping 

System  (FRKS) 

-  billing  records 

-  insurance  records 

-  payment  schedules 

Emergency  Care  data  System 
(ECDS) 

-  billing  records 

-  insurance  records 

personal  computers 

-  patient  medical  information 

-  billing  records 

-  insurance  records 

-  payment  schedules 

-  providers'  credentials  (paper 
files) 

email  server  (for  general  email) 

-  information  in  emails 

-  patient  information 
(exchanges  among  doctors) 
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Information,  Systems,  and  Applications 

Applications  and  Services 

Other  Assets 

What  applications  and  services  do  people  in  your 
organization  need  to  perform  their  jobs? 

What  other  assets  are  closely  related  to  these 

assets? 

-  database  application 

-  email 

-  Internet  connectivity 

-  paper  medical  records 

-  Internet  Service  Provider 

-  database  application 

-  Internet  connectivity 

-  Internet  Service  Provider 

-  Internet  connectivity 

-  Internet  Service  Provider 

•  email 

-  Internet  connectivity 

-  PIDS 

-  FRKS 

-  ECDS 

-  other  f unctional  systems 

-  Internet  Service  Provider 

-  PIDS 

-  personal  computers 
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Step  2 


People 


“  — I - 

People 

Skills  and  Knowledge 

Which  people  have  a  special  skill  or  knowledge  that 
is  vital  to  your  organization  and  would  be  difficult 
to  replace? 

What  are  their  special  skills  or  knowledge  ? 

External  relations 

A  group  of  people  who  controls 
the  release  of  patient  medical 
information 

ABC  Systems 

Croup  that  manages  all  major 
changes,  maintenance,  and 
upkeep  of  all  major  systems 

MTF  help  desk 

PC  technicians  who  troubleshoot 
PC  problems  for  users 

Mr.  Smith 

Senior  IT  staff  member.  He  is 
the  only  on-site  staff  member 
with  networking  skills. 
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Asset  Identification  Worksheet 


People 

Related  Systems 

Related  Assets 

Which  systems  do  these  people  use? 

Which  other  assets  do  these  people  use  (i.e., 
information,  services  or  applications)? 

PIDS 

-  PIDS 

-  FRKS 

-  ECDS 

network 

PCs 
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OCTAVE-S  V1.0 


Security  Practices  Worksheet 


6  Security  Practices  Worksheet 


Steps  3a,  3b,  and  4 
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1.  Security  Awareness  and  Training 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

Staff  members  understand  their  security  roles  and 
responsibilities.  This  is  documented  and  verified. 

Very  Much  Somewhat  ^ot  At  AlT^  Don’t  Know 

- - - - - - - .  -iis— - 

There  is  adequate  in-house  expertise  for  all  supported 
services,  mechanisms,  and  technologies  (e.g.,  logging, 
monitoring,  or  encryption),  including  their  secure 
operation.  This  is  documented  and  verified. 

Very  Much  Somewhat  ^  ^  y  Don’t  Know 

Security  awareness,  training,  and  periodic  reminders 
are  provided  for  all  personnel.  Staff  understanding  is 
documented  and  conformance  is  periodically  verified. 

Very  Much  Somewhat  ^oTAt  AlT^  Don  t  Know 

Staff  members  follow  good  security  practice,  such  as 

•  securing  information  for  which  they  are 
responsible 

•  not  divulging  sensitive  informatiQn  to  others 
(resistance  to  social  engineering) 

•  having  adequate  ability  to  use  information 
technology  hardware  and  software 

•  using  good  password  practices 

•  understanding  and  following  security  policies 
and  regulations 

•  recognizing  and  reporting  incidents 

Very  Much  Somewhat  ^oTAt  AH^^  Don’t  Know 
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Security  Practices  Worksheet 


1.  Security  Awareness  and  Training 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
area? 


EH  Red 
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2.  Security  Strategy 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

The  organization’s  business  strategies  routinely 
incorporate  security  considerations. 

Very  Much  Somewhat  ^ot  At  aTT^  Don’t  Know 

Security  strategies  and  policies  take  into  consideration 
the  organization’s  business  strategies  and  goals. 

Very  Much  Somewhat  At  AlT^  Don’t  Know 

Security  strategies,  goals,  and  objectives  are 
documented  and  are  routinely  reviewed,  updated,  and 
communicated  to  the  organization. 

Very  Much  ^86mewhaT^Not  At  All  Don’t  Know 
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Security  Practices  Worksheet 


2.  Security  Strategy 


3i)  Su'i>4 


What  is  your  organization  currently  What  is  your  organization  currently  not  How  effectively  is 

doing  well  in  this  area?  doing  well  in  this  area?  your  organization 

implementing  the 
practices  in  this 
area? 

-  Our  current  protection 

strategy  is  not  ®  Red 

effective. 

-  Our  security  strategy 

lacks  business  sense.  It  □  Yeiiow 

is  not  proactive. 

□  Green 


□  Not  Applicable 
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3.  Security  Management 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

Management  allocates  sufficient  funds  and  resources  to 
information  security  activities. 

Very  Much  (Somewhat^)  Not  At  All  Don’t  Know 

Security  roles  and  responsibilities  are  defined  for  all 
staff  in  the  organization. 

Very  Much  ^pmewhat^Not  At  All  Don’t  Know 

All  staff  at  all  levels  of  responsibility  implement  their 
assigned  roles  and  responsibility  for  information 
security. 

Very  Much  Somewhat  ^otAt^U^  Don’t  Know 

There  are  documented  procedures  for  authorizing  and 
overseeing  all  staff  (including  personnel  from  third- 
party  organizations)  who  work  with  sensitive 
information  or  who  work  in  locations  where  the 
information  resides. 

Very  Much  Somewhat  (Not  At  AH^)  Don’t  Know 

The  organization’s  hiring  and  termination  practices  for 
staff  take  information  security  issues  into  account. 

Very  Much  ^om^haP^ot  At  All  Don’t  Know 

. . . . — — - . 

The  organization  manages  information  security  risks, 
including 

•  assessing  risks  to  information  security 

•  taking  steps  to  mitigate  information  security 
risks 

Very  Much  Somewhat  (^otAtAll  J  Don’t  Know 

Management  receives  and  acts  upon  routine  reports 
summarizing  security-related  information  (e.g.,  audits, 
logs,  risks  and  vulnerability  assessments). 

Very  Much  Somewhat  Not  At  All  ^Pon’ t  Kn5^ 
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3.  Security  Management 


Step  3h 


What  is  your  organization  currently 
doing  well  in  this  area? 


What  is  your  organization  currently  not 
doing  well  in  this  area? 


This  risk  evaluation  is  a 
step  in  the  right 
direction. 


We  have  an  inadequate 
budget  for  security. 

Staff  members  are 
complacent  about 
security. 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
area? 


1H3  Red 


□  Yellow 


□  Green 


□  Not  Applicable 
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4.  Security  Policies  and  Regulations 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

The  organization  has  a  comprehensive  set  of 
documented,  current  policies  that  are  periodically 
reviewed  and  updated. 

^ery  Much^)  Somewhat  Not  At  All  Don’t  Know 

There  is  a  documented  process  for  management  of 
security  policies,  including 

•  creation 

•  administration  (including  periodic  reviews 

and  updates) 

•  communication 

Very  Much  ^Somewha^  Not  At  All  Don’t  Know 

The  organization  has  a  documented  process  for 
evaluating  and  ensuring  compliance  with  information 
security  policies,  applicable  laws  and  regulations,  and 
insurance  requirements. 

Very  Much  ^Somewhat)  Not  At  All  Don’t  Know 

The  organization  uniformly  enforces  its  security 
policies. 

Very  Much  Somewhat  ^ot^At  AlT^  Don’t  Know 
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4.  Security  Policies  and  Regulations 


3i)  Su'i) 


What  is  your  organization  currently 
doing  well  in  this  area? 

What  is  your  organization  currently  not 
doing  well  in  this  area? 

How  effectively  is 
your  organization 
implementing  the 
practices  in  this 

area? 

-  Policies  and  procedures 

-  There  is  poor 

exist. 

communication  of 

□  Red 

-  There  are  established 

policies. 

incident-handling 

-  People  don't  always 

policies  and  procedures. 

read  and  follow  policies 

El  Yellow 

and  procedures. 

-  There  is  a  lack  of 

follow-up  on  reported 

□  Green 

| 

violations. 

-  We  don't  enforce  our 

policies. 

□  Not  Applicable 
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5.  Collaborative  Security  Management 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

The  organization  has  policies  and  procedures  for 
protecting  information  when  working  with  external 
organizations  (e.g.,  third  parties,  collaborators, 
subcontractors,  or  partners),  including 

•  protecting  information  belonging  to  other 
organizations 

•  understanding  the  security  polices  and 
procedures  of  external  organizations 

•  ending  access  to  information  by  terminated 
external  personnel 

Very  Much  ^Somewhat^  Not  At  All  Don’t  Know 

The  organization  documents  information  protection 
requirements  and  explicitly  communicates  them  to  all 
appropriate  third  parties. 

Very  Much  Somewhat  At  AlT^  Don’t  Know 

The  organization  has  formal  mechanisms  for  verifying 
that  all  third-party  organizations,  outsourced  security 
services,  mechanisms,  and  technologies  meet  its  needs 
and  requirements. 

Very  Much  Somewhat  ^NqTaTaT^  Don’t  Know 

The  organization  has  policies  and  procedures  for 
collaborating  with  all  third-party  organizations  that 

•  provide  security  awareness  and  training 
services 

•  develop  security  policies  for  the  organization 

•  develop  contingency  plans  for  the 
organization 

Very  Much  ^SomewhaT)  Not  At  All  Don’t  Know 
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5.  Collaborative  Security  Management 


Step  3b 


What  is  your  organization  currently  not 
doing  well  in  this  area? 


-  We  rely  on  more  than 
ABC  Systems  to 
support  our  networks. 

-  There  is  no  single  point 
of  contact  for  the 
network  Things  get 
confused  sometimes. 

-  MedSite  does  not 
communicate  its 
security-related 
requirements  for  PIDS 
to  ABC  Systems. 


What  is  your  organization  currently 
doing  well  in  this  area? 


Step  4 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
area? 


E  Red 


□  Yellow 


□  Green 


□  Not  Applicable 
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6.  Contingency  Planning/Disaster  Recovery 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

An  analysis  of  operations,  applications,  and  data 
criticality  has  been  performed. 

(^ery  Much^)  Somewhat  Not  At  All  Don’t  Know 

The  organization  has  documented,  reviewed,  and  tested 

•  business  continuity  or  emergency  operation 
plans 

•  disaster  recovery  plan(s) 

•  contingency  plan(s)  for  responding  to 
emergencies 

Very  Much  ^Somewhat^  Not  At  All  Don’t  Know 

The  contingency,  disaster  recovery,  and  business 
continuity  plans  consider  physical  and  electronic 
access  requirements  and  controls. 

Very  Much  ^onie wh at^Not  At  All  Don’t  Know 

All  staff  are 

•  aware  of  the  contingency,  disaster  recovery, 
and  business  continuity  plans 

•  understand  and  are  able  to  carry  out  their 
responsibilities 

Very  Much  ^^mewhat^Not  At  All  Don’t  Know 
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6.  Contingency  Planning/Disaster  Recovery 


What  is  your  organization  currently 
doing  well  in  this  area? 

What  is  your  organization  currently  not 
doing  well  in  this  area? 

-  We  have  disaster 

-  We  don't  have  a 

recovery  plans  for 

business  continuity 

natural  disasters  and 

plan. 

some  emergencies. 

-  We  don't  have  disaster 
recovery  plans  for 
systems  and  networks. 

-  We're  not  sure  how 
much  testing  has  been 
done  of  the  plans  we  do 

have. 

How  effectively  is 
your  organization 
implementing  the 
practices  in  this 


□  Red 


E  Yellow 


□  Green 


□  Not  Applicable 
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7.  Physical  Access  Control 


Step  3  a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 

area: 

Facility  security  plans  and  procedures  for 
safeguarding  the  premises,  buildings,  and  any 
restricted  areas  are  documented  and  tested. 

^eryMudj^  Somewhat  Not  At  All  Don’t  Know 

There  are  documented  policies  and  procedures  for 
managing  visitors. 

^Very  Much^  Somewhat  Not  At  All  Don’t  Know 

There  are  documented  policies  and  procedures  for 
controlling  physical  access  to  work  areas  and 
hardware  (computers,  communication  devices,  etc.) 
and  software  media. 

Very  Much  ^QmewhaT^Not  At  All  Don’t  Know 

Workstations  and  other  components  that  allow 
access  to  sensitive  information  are  physically 
safeguarded  to  prevent  unauthorized  access. 

Very  Much  ^omewhaT^Not  At  All  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  requirements  for  physical  access 
control  are  formally  communicated  to  all  contractors 
and  service  providers  that  control  physical  access  to 
the  building  and  premises,  work  areas,  IT  hardware, 
and  software  media. 

Very  Much  ^omewhat^  Not  At  All  Don’t  Know 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
physical  access  control. 

Very  Much  ^Q^wh^T^^ot  At  All  Don’t  Know 
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7.  Physical  Access  Control 


What  is  your  organization  currently 
doing  well  in  this  area? 


What  is  your  organization  currently  not 
doing  well  in  this  area? 


We  are  required  to  lock 
our  offices  at  the  end 
of  the  day. 

Physical  security  for 
our  computer  room  is 
good. 


Once  sensitive 
information  is  printed 
and  distributed,  it  is 
not  properly  controlled 
or  handled. 

Physical  security  is 
hampered  by 

o  location/distribution 
of  PCs 

o  need  to  share  PCs 

o  shared  office  space 

o  sharing  codes  to 
cipher  locks 

o  multiple  access 
points  to  rooms 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 


□  Red 


El  Yellow 


□  Green 


□  Not  Applicable 
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8.  Monitoring  and  Auditing  Physical  Security 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 

area: 

Maintenance  records  are  kept  to  document  the 
repairs  and  modifications  of  a  facility’s  physical 
components. 

Very  Much  Somewhat  ^Not  At  AU^  Don’t  Know 

An  individual’s  or  group’s  actions,  with  respect  to  all 
physically  controlled  media,  can  be  accounted  for. 

Very  Much  Somewhat  ^oTAt  /uT^  Don’t  Know 

Audit  and  monitoring  records  are  routinely  examined 
for  anomalies,  and  corrective  action  is  taken  as 
needed. 

Very  Much  Somewhat  ATP^  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  requirements  for  monitoring 
physical  security  are  formally  communicated  to  all 
contractors  and  service  providers  that  monitor 
physical  access  to  the  building  and  premises,  work 
areas,  IT  hardware,  and  software  media. 

Very  Much  ^Somewha^  Not  At  All  Don’t  Know 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
monitoring  physical  security. 

Very  Much  Somewhat  Not  At  All  ^on’t  Kncn^ 
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8.  Monitoring  and  Auditing  Physical  Security 


step  3b  Su'|>4 


What  is  your  organization  currently  What  is  your  organization  currently  not  How  effectively  is 

doing  well  in  this  area?  doing  well  in  this  area?  your  organization 

implementing  the 
practices  in  this 
area? 

-  Audit  records  are 

spotty.  We're  not  sure  ®  Red 

that  anyone  reviews 

them. 

□  Yellow 


□  Green 


□  Not  Applicable 
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9.  System  and  Network  Management 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 

area: 

There  are  documented  and  tested  security  plan(s)  for 
safeguarding  the  systems  and  networks. 

Very  Much  Somewhat  (NotAtAlj)  Don’t  Know 

Sensitive  information  is  protected  by  secure  storage  (e.g.,  ' 
backups  stored  off  site,  discard  process  for  sensitive 
information). 

^Very  Much)  Somewhat  Not  At  All  Don’t  Know 

The  integrity  of  installed  software  is  regularly  verified. 

Very  Much  (SomewhaT)  Not  At  All  Don’t  Know 

All  systems  are  up  to  date  with  respect  to  revisions, 
patches,  and  recommendations  in  security  advisories. 

Very  Much  /^omewhatA  Not  At  All  Don’t  Know 

There  is  a  documented  and  tested  data  backup  plan  for 
backups  of  both  software  and  data.  All  staff  understand 
their  responsibilities  under  the  backup  plans. 

Very  Much  (Somewhat^)  Not  At  All  Don’t  Know 

Changes  to  IT  hardware  and  software  are  planned, 
controlled,  and  documented. 

Very  Much  ^Somewhat)  Not  At  All  Don’t  Know 

IT  staff  members  follow  procedures  when  issuing, 
changing,  and  terminating  users’  passwords,  accounts, 
and  privileges. 

•  Unique  user  identification  is  required  for  all 
information  system  users,  including  third-party 
users. 

•  Default  accounts  and  default  passwords  have 
been  removed  from  systems. 

Very  Much  ^Somewhay  Not  At  All  Don’t  Know 

Only  necessary  services  are  running  on  systems  -  all 
unnecessary  services  have  been  removed. 

Very  Much  Somewhat  (Not  At  AM)  Don’t  Know 

. . . - 

Tools  and  mechanisms  for  secure  system  and  network 
administration  are  used,  and  are  routinely  reviewed  and 
updated  or  replaced. 

Very  Much  (somewhat)  Not  At  All  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  security-related  system  and  network 
management  requirements  are  formally  communicated  to 
all  contractors  and  service  providers  that  maintain 
systems  and  networks. 

Very  Much  ^Somewhat^  Not  At  All  Don’t  Know 

The  organization  formally  verifies  that  contractors  and 
service  providers  have  met  the  requirements  for  security- 
related  system  and  network  management. 

Very  Much  Somewhat  (frJot  At  AU^)  Don’t  Know 
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9.  System  and  Network  Management 


Step  3b 


What  is  your  organization  currently 
doing  well  in  this  area? 


-  ABC  Systems  has  a 
security  plan. 

-  We  force  users  to 
change  their  passwords 
regularly. 

-  ABC  Systems  has 
reported  very  few 
intrusions. 

-  Systems  are  well 
protected  with 
passwords. 

-  ABC  Systems  runs  tools 
from  their  site. 


What  is  your  organization  currently  not 
doing  well  in  this  area? 


-  MedSite  has  no 
documented  security 
plan. 

-  We  don't  clean  up 
inherited  access  rights 
very  well. 

-  We’re  not  sure 
whether  ABC  Systems 
keeps  up  with  security 
notices. 

-  We  haven't  been 
trained  in  the  use  of 
the  latest  system 
administration  tools. 


Step  4 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
area? 


□  Red 


Si  Yellow 


□  Green 


□  Not  Applicable 
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10.  Monitoring  and  Auditing  IT  Security 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff from  your  organization  is  responsible  for  this 

area: 

System  and  network  monitoring  and  auditing  tools 
are  routinely  used  by  the  organization.  Unusual 
activity  is  dealt  with  according  to  the  appropriate 
policy  or  procedure. 

Very  Much  ^Somewhat)  Not  At  All  Don’t  Know 

Firewall  and  other  security  components  are 
periodically  audited  for  compliance  with  policy. 

Very  Much  (Somewhat^Not  At  All  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  requirements  for  monitoring 
information  technology  security  are  formally 
communicated  to  all  contractors  and  service 
providers  that  monitor  systems  and  networks. 

Very  Much ^Somewh^  Not  At  All  Don’t  Know 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
monitoring  information  technology  security. 

Very  Much  Somewhat  ^orAt  AlP)  Don’t  Know 
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10.  Monitoring  and  Auditing  IT  Security 


Step  31,  Sk"4 


What  is  your  organization  currently  What  is  your  organization  currently  not  How  effectively  is 

doing  well  in  this  area?  doing  well  in  this  area?  your  organization 

implementing  the 
practices  in  this 
area? 

-  ABC  Systems  does  all  -  ABC  Systems  does  not 

IT  audits.  report  unusual  activity  □  Red 

-  ABC  Systems  runs  to  an>'one  here' 

monitoring  tools. 

0  Yellow 


□  Green 


□  Not  Applicable 
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11.  Authentication  and  Authorization 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 

area: 

Appropriate  access  controls  and  user  authentication 
(e.g.,  file  permissions,  network  configuration) 
consistent  with  policy  are  used  to  restrict  user  access 
to  information,  sensitive  systems,  specific 
applications  and  services,  and  network  connections. 

Very  Much  Somewhat  ^AtAll^)  Don’t  Know 

There  are  documented  policies  and  procedures  to 
establish  and  terminate  the  right  of  access  to 
information  for  both  individuals  and  groups. 

Very  Much  ^o^whaT^Not  At  All  Don’t  Know 

_  .  _  ✓ - - 

Methods  or  mechanisms  are  provided  to  ensure  that 
sensitive  information  has  not  been  accessed,  altered, 
or  destroyed  in  an  unauthorized  manner.  Methods  or 
mechanisms  are  periodically  reviewed  and  verified. 

Very  Much  Somewhat  y^Jot  At  A\\^/  Don  t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  requirements  for  controlling 
access  to  systems  and  information  are  formally 
communicated  to  all  contractors  and  service 
providers  that  provide  authentication  and 
authorization  services. 

Very  Much  ^pmewhaT^yiot  At  All  Don’t  Know 

. . .  - 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
authentication  and  authorization. 

Very  Much  Somewhat  y^otAtAll^/  Don’t  Know 
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Security  Practices  Worksheet 


11.  Authentication  and  Authorization 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
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12.  Vulnerability  Management 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 
area: 

There  is  a  documented  set  of  procedures  for 
managing  vulnerabilities,  including 

•  selecting  vulnerability  evaluation  tools, 
checklists,  and  scripts 

•  keeping  up  to  date  with  known  vulnerability 
types  and  attack  methods 

•  reviewing  sources  of  information  on 
vulnerability  announcements,  security  alerts, 
and  notices 

•  identifying  infrastructure  components  to  be 
evaluated 

•  scheduling  of  vulnerability  evaluations 

•  interpreting  and  responding  to  the  results 

•  maintaining  secure  storage  and  disposition  of 
vulnerability  data 

Very  Much  Somewhat  Not  At  All  Don’t  Know 

Vulnerability  management  procedures  are  followed 
and  are  periodically  reviewed  and  updated. 

Very  Much  Somewhat  Not  At  All  Don’t  Know 

Technology  vulnerability  assessments  are  performed 
on  a  periodic  basis,  and  vulnerabilities  are  addressed 
when  they  are  identified. 

Very  Much  Somewhat  Not  At  All  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  vulnerability  management 
requirements  are  formally  communicated  to  all 
contractors  and  service  providers  that  manage 
technology  vulnerabilities. 

Very  Much  Somewhat  ^o^t  AlT^  Don’t  Know 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
vulnerability  management. 

Very  Much  Somewhat  Not  At  All  (Don't  Kno\^ 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
vulnerability  management. 


Security  Practices  Worksheet 


12.  Vulnerability  Management 


What  is  your  organization  currently 
doing  well  in  this  area? 


What  is  your  organization  currently  not 
doing  well  in  this  area? 


ABC  Systems  does  oil 
vulnerability  evaluation 
and  management. 


We  haven't  received 
training  about  how  to 
interpret  vulnerability 
reports. 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
area? 


E  Red 


□  Yellow 


□  Green 


□  Not  Applicable 
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13.  Encryption 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 

area: 

Appropriate  security  controls  are  used  to  protect 
sensitive  information  while  in  storage  and  during 
transmission  (e.g.,  data  encryption,  public  key 
infrastructure,  virtual  private  network  technology). 

Very  Much  Somewhat  Don’t  Know 

Encrypted  protocols  are  used  when  remotely 
managing  systems,  routers,  and  firewalls. 

Very  Much  Somewhat  ^otAt  AlP^)  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  requirements  for  protecting 
sensitive  information  are  formally  communicated  to 
all  contractors  and  service  providers  that  provide 
encryption  technologies. 

Very  Much  Somewhat  Not  At  All  ^on’t  Kno^ 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
implementing  encryption  technologies. 

Very  Much  Somewhat  Not  At  All  {Don’t  Know) 
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Security  Practices  Worksheet 


13.  Encryption 


Step  3I> 


What  is  your  organization  currently 
doing  well  in  this  area? 

What  is  your  organization  currently  not 
doing  well  in  this  area? 

-  We  don't  protect 
patient  information 
when  we  send  it 
electronically  to  third 
parties. 

-  We  don't  know  whether 
ABC  Systems  protects 
patient  information 
using  encryption.  The 
topic  has  never  come 
up. 

Step  4 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
area? 


13  Red 


□  Yellow 


□  Green 


□  Not  Applicable 


CMU/SEI-2003-HB-003  Volume  10 


77 


OCTAVE-S  V1.0 


14.  Security  Architecture  and  Design 


Step  3a 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 

area : 

System  architecture  and  design  for  new  and  revised 
systems  include  considerations  for 

•  security  strategies,  policies,  and  procedures 

•  history  of  security  compromises 

•  results  of  security  risk  assessments 

Very  Much  Somewhat  |<mAt  A?T^)  Don’t  Know 

The  organization  has  up-to-date  diagrams  that  show 
the  enterprise-wide  security  architecture  and  network 
topology. 

Very  Much  ^omewhaT^lot  At  All  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  security-related  requirements  are 
formally  communicated  to  all  contractors  and  service 
providers  that  design  systems  and  networks. 

Very  Much  Somewhat  ^ot^At  Al^^  Don  t  Know 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
security  architecture  and  design. 

Very  Much  Somewhat  ^o^At  AlP^  Don’t  Know 
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Security  Practices  Worksheet 


14.  Security  Architecture  and  Design 


Step  31* 


What  is  your  organization  currently 
doing  well  in  this  area? 

What  is  your  organization  currently  not 
doing  well  in  this  area? 

-  PIDS II  is  being 
developed  and  no  one 
has  talked  to  us  about 
security. 

Step  4 


How  effectively  is 
your  organization 
implementing  the 
practices  in  this 
area? 


[3  Red 


□  Yellow 


□  Green 


□  Not  Applicable 
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15.  Incident  Management 


Statement 

To  what  extent  is  this  statement  reflected  in  your 
organization? 

If  staff  from  your  organization  is  responsible  for  this 

area: 

Documented  procedures  exist  for  identifying, 
reporting,  and  responding  to  suspected  security 
incidents  and  violations. 

Very  Much  ^omewhaT^Not  At  All  Don’t  Know 

Incident  management  procedures  are  periodically 
tested,  verified,  and  updated. 

Very  Much  Somewhat  ^Not  At  AH^  Don’t  Know 

There  are  documented  policies  and  procedures  for 
working  with  law  enforcement  agencies. 

Very  Much  Somewhat  At  AU^  Don’t  Know 

If  staff  from  a  third  party  is  responsible  for  this  area: 

The  organization’s  requirements  for  managing 
incidents  are  formally  communicated  to  all 
contractors  and  service  providers  that  provide 
incident  management  services. 

Very  Much  Somewhat  Not  At  All  ^iSon’t  Kno^ 

- f 

The  organization  formally  verifies  that  contractors 
and  service  providers  have  met  the  requirements  for 
managing  incidents. 

Very  Much  Somewhat  Not  At  All  vQon’t  Kno>y 
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Security  Practices  Worksheet 


15.  Incident  Management 


Step  3b  Su'P4 


What  is  your  organization  currently  What  is  your  organization  currently  not  How  effectively  is 

doing  well  in  this  area?  doing  well  in  this  area?  your  organization 

implementing  the 
practices  in  this 
area? 

-  Procedures  exist  for  -  We  have  never 

incident  response.  considered  how  to  deal  a  Red 

with  law  enforcement. 

-  It  is  not  clear  how  or 

where  we  should  report  ei  Yeiiow 

incidents. 

-  We  have  never 

discussed  incident  □  Green 

management  with  ABC 
Systems. 

□  Not  Applicable 


i 
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Critical  Asset  Selection  Worksheet 


7  Critical  Asset  Selection  Worksheet 


Step  5 
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Step  5 


Questions  to  Consider:  Which  assets  will  have  a  large  adverse  impact  on  the  organization  if 

•  they  are  disclosed  to  unauthorized  people  ? 

•  they  are  modified  without  authorization? 

•  they  are  lost  or  destroyed? 

•  access  to  them  is  interrupted? 


Critical  Asset 

i.  Patient  Information  Data  System  (PIDS) 


2.  Paper  medical  records 


3.  Personal  computers 


4.  ABC  Systems 


5.  Emergency  Data  Care  System  (ECDS) 
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Critical  Asset  Selection  Worksheet 


Notes 

We  are  dependent  on  PID5. 


The  number  one  data  source  for  patient  information  is  paper 
medical  records. 


All  staff  access  key  medical  systems  using  personal  computers. 


They  control  our  network. 


This  is  typical  of  the  32  functional  systems  at  MedSite. 
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Critical  Asset  Information  Worksheet:  Systems 


8  Critical  Asset  Information  Worksheet  for 
Systems 


Steps  6, 7,  8,  9, 10,  and  11 

Note  that  from  this  point  on,  most  of  the  case  scenario  results  are  only  for  the  critical  asset  PIDS. 
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Patient  Information  We  are  98%  dependent  on  PIDS  for  delivering  patient 
Data  System  (PIDS)  care. 


Step  9 


Related  Assets 

Which  assets  are  related  to  this  system? 

Information:  Services  and  Applications: 

-  Patient  medical  information  -  Database 

-  Email 

Other: 

-  Personal  computers 

-  Paper  medical  records 

-  Internet  connectivity 

-  ABC  Systems 

-  External  relations 
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Description 

Who  uses  the  system  ? 


Who  is  responsible  for  the  system? 


Providers,  lab  technician,  pharmacists,  and  appointment  schedulers  all  use  PIDS.  Each 
group  is  responsible  for  a  subset  of  the  medical  information  on  PIDS.  ABC  Systems 
has  primary  responsibility  for  maintaining  PIDS.  Some  day-to-day  maintenance  work  is 
performed  by  our  IT  staff. 


Security  Requirements 


What  are  the  security  requirements  for  this  system? 


Most  Important  Security 
Requirement 

Which  security  requirement 
is  most  important  for  this 


(Hint'  Focus  on  what  the  security  requirements  should  be  for  this  system ,  not  what  they  currently  are.) 

system  ? 


H3  Confidentiality  Only  authorized  personnel  can  view  information  on 

□  Confidentiality 

PIt>S  Inf ormation  should  be  restricted  to 

those  with  a  "need  to  know."  Information  is  subject  to 
the  privacy  act;  a  lntesn,y 


El  Integrity 


Only  authorized  personnel  can  modify  information  on 


El  Availability 


PTfrS  Records  must  be  complete  and  correct.  j  Q  0ther 


E  Availability  _ PlhS  must  be  available  for  personnel  to  perform  their  jobs. 

Access  to  information  is  required  24/7. 


□  Other 
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Risk  Profile  Worksheets 


9  Risk  Profile  Worksheets  for  Systems  - 
PIDS 


Steps  12, 13, 14, 15, 16,  22,  23,  24,  26,  27 
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Risk  Profile  Worksheet  for  PIDS:  Network  Access 


9.1  Risk  Profile  Worksheet  for  PIDS  -  Human  Actors 
Using  Network  Access 
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Step  12 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to  the 
asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or  no 
possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 


Access 


Motive 


PIDS  network 


outside 


Outcome 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable 
area? 


Impact  Values 


disclosure 


e 

o  — 


M  M 


i  i 


accidental 

modification 

«i 

M  | 

M 

*1 

H| 

E 

loss,  destruction 

« i 

M 

H 

M  | 

JiJ 

-  | 

interruption 

M 

lMJ 

H 

M  | 

E 

-  | 

disclosure 

M 

M 

L 

M 

L  1 

E 

1' 

deliberate 

modification 

M  | 

M  | 

M 

M  | 

H 

E 

loss,  destruction 

. 

M 

H 

M 

H  | 

E 

interruption 

M 

M  j 

H 

M 

E 

■ 

disclosure 

M 

H  | 

1  1 

M  | 

L  | 

- 

accidental 

modification 

1 . ^ 

M 

\  M 

M  | 

El 

- 

loss,  destruction 

1 . 

M 

1  H 

M  | 

1  H 

- 

interruption 

EJ 

M 

Ly_ 

M 

1  H 

- 

disclosure 

|H 

E 

1  L 

M 

LkJ 

- 

deliberate 

modification 

[  M 

["m1 

|  M 

M 

E 

- 

loss,  destruction 

U- 

Dl 

1  H 

M 

E 

E 

interruption 

U- 

E 

E 

M 

E 

□ 
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Risk  Profile  Worksheet  for  PEDS:  Network  Access 


Probability  Security  Practice  Areas 

How  likely  is  the  threat  to  What  is  the  stoplight  status  for  each  security  practice  area? 

occur  in  the  future?  How 
confident  are  you  in  your 
estimate? 


Approach 

What  is  your 
approach  for 
addressing  each 
risk? 


Value  Confidence 


Strategic 


Operational 


M  6JD 

*  S 


•s  -  - 

i  xs  < 
5  £  w 

i  i  | 

>  &  z 

m  pc — i- — i 

rn  i — xi — i 

m  i--xi — i 

rn  ix — i — i 

m  ix — i — i 
m  i — X|- — i 
I  L  1  I — X( 1 

rn  i--xi — i 

m  i — i— — xi 
m  i — i— -xi 

rn  i — i--xi 

m  i — i— xi 

m  i — i — xi 
m  i — i — xi 
m  i— -xi — i 
m  I----XI — i 


«  i 


C/2  Cfl  C«  C« 


r  r  r  y  r  y 


r  r  r  y  r  y 


r  r  r  y  r  y 


R  R  R  y  R  Y 


r  r  r  y  r  y 


r  r  r  y  r  y 


r  r  r  y  r  y 


r  r  r  y  r  y 


ft  R  ft  y  R  Y 


r  r  r  y  f  ft  y 


r  ft  ft  y  (r 


R  ft  R  V1U  y 


I  « 

bd  Vi 


yyRRRRy 


::  yyRRRRy 


yy  RRRRy 


■S  y  y  r  r  r  R  y 


y  y  ft  ft  ft  ft  y 


y  y  r  r  i  r  r  R  y 


y  y fRi R  ft  r  y 


y  y  fR  i r  r  r  y 


y_[_y_J_R_J_R_[_R_|_Rj_y 

y|ylft|R|R|R|y 


yyRRRRy 


yyRRRRy 


yy  RRRRy 


y|y|R]R|R|R|y 

y|y|R|R|R|ft|y 


yyRRRRy 


o,  u  3d 

a)  ^  .Sr 

u  *2:  ~ 

<  o  S 

□  E  □ 


□  IS  □ 


□  E  □ 

□  E  □ 


□  □  E 


□  □  E 


□  □  E 


□  □  E 


□  E  □ 


□  E  □ 


□  E  □ 


□  E  □ 


□  □  E 


□  □  E 

□  □  E 


□  □  E 
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disclosure  Insiders  acting  accidentally: 

accidental  modification  Data  entry  personnel,  medical 

loss,  destruction  staff  discussing  sensitive 
“ — —  information  in  public  areas 

inside  interruption _ ___ _ _ 

disclosure  Insiders  acting  deliberately: 

deliberate  modification  Disgruntled  employees,  staff 

loss,  destruction  misusing  PIDS  information  for 
I  non-malicious  reasons 

interruption 

disclosure 

accidental  modification 

loss,  destruction 

outside  interruption 

disclosure  Outsiders  acting  deliberately: 

deliberate  modification  Terrorist,  spies,  hackers 

loss,  destruction 


Outsiders  acting  accidentally: 

ABC  Systems 


interruption 


OCTAVE-S  V1.0 


Human  Actors  Using  Network  Access 


Insiders  Using  Network  Access 
Give  examples  of  how 


insiders  acting  accidentally 
could  use  network  access 
to  threaten  this  system. 


Give  examples  of  how 
insiders  acting  deliberately 
could  use  network  access 
to  threaten  this  system. 


Staff  members  with  legitimate  access  to  PIt>5  sometimes  use 
that  access  to  view  information  that  they  shouldn't  (e.g.,  medical 
records  of  friends).  This  is  a  violation  of  the  privacy  act. 

Disgruntled  employees  are  a  concern.  The  more  they  know  about 
information  technology,  the  more  dangerous  they  are. 


Outsiders  Using  Network  Access  _ _ _ _ _ _ _ 

Give  examples  of  how  ABC  Systems  has  access  to  PIDS  and  the  network.  Any  deliberate 

outsiders  acting  accidentally  or  accjdental  acts  by  their  staff  could  affect  our  ability  to 

could  use  network  access  jde  tjcnt  care> 

to  threaten  this  system. 


Give  examples  of  how 
outsiders  acting  deliberately 
could  use  network  access 
to  threaten  this  system. 


Terrorists  and  spies  are  of  concern.  If  they  disrupt  PIDS,  they 
could  shut  down  MedSite. 


Hackers  are  also  a  concern.  If  they  disrupt  PIDS,  they  could  shut 
down  MedSite. 


Risk  Profile  Worksheet  for  PIDS:  Network  Access 


Areas  of  Concern 


[ 

Insiders  Using  Network  Access 

i  Role-based  access  builds  over  time.  Many  staff  members  have 
i  access  to  too  much  information. 

1 

1 

1 

1 

1 

1 

Outsiders  Using  Network  Access 

i  ABC  Systems  has  access  to  PIDS  and  the  network.  Any  deliberate 
i  or  accidental  acts  by  their  staff  could  affect  our  ability  to  provide 
i  patient  care  if  they  modify  or  delete  vital  information  on 
j  PIDS. 

n  i 

CMU/SEI-2003-HB-003  Volume  10 


99 


OCTAVE-S  V1.0 


100 


CMU/SEI-2003-HB-003  Volume  10 


OCTAVE-S  V1.0 


Risk  Profile  Worksheet  for  PIDS:  Human  Access 


9.2  Risk  Profile  Worksheet  for  PIDS  -  Human  Actors 
Using  Physical  Access 
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|  Human  Actors  Using  Physical  Access 


Step  12 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to  the 
asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or  no 
possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 


Basic  Risk  Profile 


Step  22 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable 
area  ? 


Asset  Access  Actor  Motive  Outcome 


Impact  Values 


disclosure 

T| 

AA  | 

"H 

3 

13 

3 

accidental 

modification 

AA  | 

AA  | 

"*1 

AA  | 

«l 

Zl 

1 

loss,  destruction 

m| 

AA  1 

jd 

Ml 

jd 

inside 

interruption 

AA  | 

AA  | 

l±lJ 

AA  | 

rn 

-  | 

disclosure 

"Ml 

AA 

n 

AA 

T1 

n 

deliberate 

modification 

M 

M 

AA 

AA 

H  | 

-  | 

PIDS 

physical 

loss,  destruction 

M 

AA 

H 

aa| 

H  | 

LJ 

interruption 

JL 

AA 

H  J 

9 

8 

disclosure 
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Basic  Risk  Profile 


Step ; 


Human  Actors  Using  Physical  Access 


Step  - 


Probability  Security  Practice  Areas 

How  likely  is  the  threat  to  What  is  the  stoplight  status  for  each  security  practice  area  ? 
occur  in  the  future?  How 
confident  are  you  in  your 
estimate ? 


Value  Confidence 
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Approach 

What  is  your 
approach  for 
addressing  each 
risk? 
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disclosure 


Threat  Actors 


Which  actors  pose  the  biggest  threats  to  this 
system  via  physical  means? 


Insiders  acting  accidentally : 


accidental  modification  Staff  using  Other  people’s 
loss,  destruction  computers 


interruption 


physical 


disclosure 


Insiders  acting  deliberately: 


deliberate  I  modification  Disgruntled  employees 


loss,  destruction 


interruption 


disclosure  Outsiders  acting  accidentally : 

accidental  modification^^  Systems,  patients 
loss,  destruction 


outside 


interruption 


disclosure 


Outsiders  acting  deliberately: 


deliberate  |  modification  Patients,  terrorists,  spies , 
loss,  destruction  VOndolS 

interruption  _ __ _ 
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Step  16 


Human  Actors  Using  Physical  Access  | _ _ Areas^ofConcerti 

Insiders  Using  Physical  Access  _ _ _ _ _ 

Give  examples  of  how 
insiders  acting  accidentally 
could  use  physical  access 
to  threaten  this  system. 


Give  examples  of  how  Any  staff  member  can  get  physical  access  to  PIDS  by  using  PCs 

insiders  acting  deliberately  |eft  unattended  in  exam  rooms.  PCs  in  exam  rooms  are  typically 

could  use  physical  access  |eff  ,  d  on  to  PIDS 
to  threaten  this  system. 

Our  main  computer  room  is  often  left  unlocked.  Also,  too  many 
staff  members  seem  to  have  keys  to  the  room.  Any  staff  member 
with  malicious  intent  could  gain  access. 

Outsiders  Using  Physical  Access _ _ _ _ _ 

Give  examples  of  how  Any  patient  could  accidentally  see  PIDS  information  when  they  are 

outsiders  acting  accidentally  |eft  Q|onc  jn  eXQm  r0oms.  They  could  also  deliberately  look  at  PIDS 

could  use  physical  access  information  ff  they  wanted  to. 
to  threaten  this  system. 

ABC  Systems  has  physical  access  all  of  our  IT  equipment.  Any 
deliberate  or  accidental  acts  by  their  staff  could  affect  our 
ability  to  provide  patient  care. 

Give  examples  of  how  Any  patient  could  accidentally  see  PIDS  information  when  they  are 

outsiders  acting  deliberately  |eft  a|one  jn  cxatn  r0oms.  They  could  also  deliberately  look  at  PIDS 

could  use  physical  access  jnformation  if  they  wanted  to. 
to  threaten  this  system. 

ABC  Systems  has  physical  access  all  of  our  IT  equipment.  Any 
deliberate  or  accidental  acts  by  their  staf f  could  affect  our 
ability  to  provide  patient  care. 
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Areas  of  Concern 


Insiders  Using  Physical  Access 


Outsiders  Using  Physical  Access 


Terrorists  and  spies  could  attempt  to  physically  access  PIDS  just 
as  easily  as  they  could  try  to  hack  it.  If  they  disrupt  PIDS,  they 
could  shut  down  MedSite.  _ _ 

The  PIDS  server  is  located  at  ABC  Systems'  site.  Its  staff  has 
physical  access  to  PIDS.  Their  physical  security  for  the  server  is  a 
concern. 


CMU/SEI-2003-HB-003  Volume  10 


OCTAVE-S  V1.0 


OCTAVE-S  V1.0 


Risk  Profile  Worksheet  for  PIDS:  System  Problems 


9.3  Risk  Profile  Worksheet  for  PIDS  -  System  Problems 
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I  System  Problems 


Basic  Risk  Profile 


Step  12 


Step  22 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to  the 
asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or  no 
possibility  of  a  threat  to  the  asset  ?  Do  not  mark  these  branches. 


Asset 


Actor 


software  defects 


system  crashes 


hardware  defects 


malicious  code 


Outcome 


Impact  Values 

What  is  the  potential  impact  on 
the  organization  in  each 
applicable  area? 


Impact  Values 


§  -  I 

a  ‘2  S 

■111 
ii+  Cu  U-4 


4> 

PC 


(virus,  worm,  Trojan 
horse,  back  door) 


£  fe 

a)  2. 

«  £ 

cfl  O 


disclosure  ! 

i  □ 

zn 

i —  """  -  ’"**  ' 

|  modification 

i  _□ 

ZL_ 

loss,  destruction 

M  |  M  |  H  | 

M 1 H I  - 

interruption 

M  |  M  |  H 

M  I  H  EZ 

disclosure 

1  J 

1  1 

i —  -  ■  ■  ‘ 

|  modification 

1  J_ 

1  Uk. 

loss,  destruction 

M  |  M  1  H 

M|  H  |  - 

interruption 

ODD 

M  |  H  |  - 

disclosure 

1 1 

1  1 

j  modification 

I 

■  ■■ 

loss,  destruction 

M  |  H  |  - 

interruption 

DOB 

M  |  H  |  - 

disclosure 

DEB 

*  1  L  1  - 

modification 

WiWMM 

«IhT 

loss,  destruction 

ODD 

1  M  |  H  |  - 

interruption 

E 

M  |  H 

1 M 1  hT- 
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Mitigate 


OCTAVE-S  V1.0 


disclosure  [ 

software  defects  J 

modification  j 

loss,  destruction  [ 

interruption  [ 

disclosure  | 

system  crashes 

modification  [ 

loss,  destruction 

interruption  j 

disclosure  j 

hardware  defects 

!  modification 

L_ -  1 

_ times  in _ years  i 


_ times  in _ years 


10  times  in  1  years 


10 _ times  in  1  years 


.  times  in . 


.  times  in . 


10+  times  in  1  years 


□  m  □ 


El  □  □ 


□  □  □ 


□  □  □ 


a  Ei  □ 


e  a  a 


.  times  in  _ 


.  times  in . 


loss,  destruction 
interruption 


0  times  in  5  _  years 


□  □  □ 


a  a  a 


m  □  □ 


m  □  □ 


malicious  code 


(virus,  worm,  Trojan 
horse,  back  door) 


disclosure 

modification 


loss,  destruction 


interruption 


_0 _ times  in  5  _  years 


_ times  in  5  years 


_ times  in  5  years 


2  times  in  1  years 


□  □  m 


□  □  m 


□  s  □ 


□  m  □ 
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Step  16 


Software  Defects  - - - - - - - : 

Give  examples  of  how 
software  defects  could 
threaten  this  system. 

The  PIDS  database  application  locks  up  periodically.  To  get  PIDS 
back  up,  we  need  to  reboot  the  system.  Anytime  PIDS  is  down,  it  j 
affects  MedSite's  ability  to  provide  patient  care. 

L... .  . .  .  i 

System  Crashes  _ _ _ _ — 1 

Give  examples  of  how  system 
crashes  could  threaten  this 
system. 

PIDS  has  a  history  of  crashing  for  a  variety  of  reasons.  Anytime  j 
PIDS  is  down,  it  affects  MedSite's  ability  to  provide  patient  care.  : 

Hardware  Defects 

S  Give  examples  of  how 
hardware  defects  could 
threaten  this  system. 

i - - - — — — — — -  j 

Malicious  Code  _ _ _ _ _ _ _ — — - ; 

Give  examples  of  how 
malicious  code  could  threaten 
this  system.  (Consider 
viruses,  worms,  Trojan 
horses,  back  doors,  others) 


malicious  code. 
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Areas  of  Concern 


Software  Defects 

System  Crashes 

Hardware  Defects 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

1 

Malicious  Code 

■ 

i  Viruses  are  a  major  concern.  PIDS  was  shut  down  twice  last  year 
i  because  of  virus  problems. 
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|  Other  Problems 


Step  12 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to  the 
asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or  no 
possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 


Asset 


Actor 


Outcome 


power  supply 


problems 


telecommunications 


problems  or 
unavailability 


third-party  problems 


or  unavailability  of 
third-party  systems 


natural  disasters 


(e.g.,  flood,  fire, 
tornado) 


disclosure 


modification 


interruption 


disclosure 


modification 
loss,  destruction 
interruption 


disclosure 


interruption 


Basic  Risk  Profile 


Step  22 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable 
area? 


disclosure 
modification 
loss,  destruction 
interruption 
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Basic  Risk  Profile  _  I  Other  Problems 


Step  26 

1 

Probability 

How  likely  is  the  threat  to 
occur  in  the  future?  How 
confident  are  you  in  your 
estimate? 

Value  Confidence 

mm 

M  3 

£  ~ 

^  £  < 

fr  E  * 

>  £  z 

Security  Practice  Areas 

What  is  the  stoplight  status  for  each  security’ practice  area? 

Strategic  Operational 
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Approach 

What  is  your 
approach  for 
addressing  each 
risk? 
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Step  16 


Othc^Problems  |  ^^^^^^Are^ofConcern 


Power  Supply  Problems 

1 

i 

i 

Give  examples  of  how  power 
supply  problems  could 
threaten  this  system. 

Power  supply  problems  can  lead  to  a  denial  of  access  to  PIDS.  Our  : 
backup  procedures  have  failed  in  the  past,  so  this  is  a  concern.  j 

Telecommunications  Problems 

! 

Give  examples  of  how 
telecommunications  problems 
could  threaten  this  system. 

We  access  PIDS  using  telecommunications  lines.  If  there  is  a  \ 

problem  with  any  telecommunications  equipment,  then  we  could  not  : 
access  PIDS.  : 

Third-Party  Problems 

Give  examples  of  how  third- 
party  problems  could  threaten 
this  system. 

MedSite  is  not  a  priority  for  ABC  Systems.  This  prolongs 
downtime  for  PIDS.  j 

Natural  Disasters 

Give  examples  of  how 
natural  disasters  could 
threaten  this  system. 

MedSite  is  located  on  a  flood  plane.  We  have  had  a  history  of 
floods,  especially  in  the  past  five  years.  Access  to  PIDS  was 
interrupted  each  time. 
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Areas  of  Concern 


ABC  Systems'  configuration  of  our  firewall  restricts  access  to 
important  Internet  medical  sites.  They  do  not  understand  our 
requirements. 
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J  Other  Problems  (cont.)  | 


Basic  Risk  Profile 


Step  12 


Step  22 


Threat 


For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to  the 
asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or  no 
possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches . 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable 
area? 


Asset 


Actor 


Outcome 


s 
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interruption 
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disclosure 

1  1  1  M 

modification 

i  i  i  r~ 

-  -  - 

loss,  destruction 

1  1  IT 

| 

interruption 

1  II  T~ 

j 

i 

i 

i 

1 
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j  modification 

Mill 

j  loss,  destruction 
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1  1  IT~ 
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Basic  Risk  Profile 

Other  Problems  (cont.) 

Step  24  HUB 

1 

Step  26 

r 

Security  Practice  Areas 

> plight  status  for  each  security  practice  area? 

tegic  Operational 
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rf  to  v© 

13.  Encryption 

14.  Sec  Arch  &  Des 

15.  Incident  Mgmt 

i 

Step  27  III 

h 

Probability 

;  How  likely  is  the  threat  to 
\  occur  in  the  future?  How 

1  confident  are  you  in  your 
\  estimate? 

•  Value  Confidence 
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ro 

Approach 

What  is  your 
approach  for 
addressing  eac 
risk? 
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□  □ 

r 

— 

_ 

□ 

a  a 

□  l-l- 

r 

— 

i 

□ 

□  a 

□  l-H- 

c 

— 

L_ 

L_ 

L 

L 

L 

_ 

I_ 

a 

□  □ 
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□ 

l 

a 

a  a 

;  □!— +_ 

c 

□ 

I 

r 

L 

1 

□ 

| 

| 

1  a 

□  □ 

i 

_ 

_ 

_ 

MM 

CMU/SEI-2003-HB-003  Volume  10 


125 


OCTAVE-S  V1.0 


Other  Problems  (cont.) 


How  often  has  this  threat 
occurred  in  the  past? 


How  accurate 
are  the  data  ? 


disclosure 


disclosure 


modification 


loss,  destruction 


interruption 


physical  configuration 

modification  [ 

or  arrangement  of 

loss,  destruction  [ 

buildings,  offices,  or 
equipment 

interruption  [ 

disclosure  [ 

modification  [ 

loss,  destruction  j 

i 

interruption  [ 

disclosure  j 

modification  [ 

loss,  destruction  | 

interruption  j 

.  times  in . 


_  times  in . 


.  times  in . 


_  times  in  _ 


.  times  in  _ 


_  times  in  _ 


_  times  in  _ 


_  times  in . 


 times  in . 


_  times  in . 


times  in . 


20+  _  times  in _ 1_ 

_ times  in _ 


_ times  in _ 


_ _ times  in _ 


m  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  a  a 


□  a  □ 


□  □  □ 


□  a  a 


a  □  □ 


□  □  a 


a  □  □ 


□  □  □ 


a  a  □ 
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Risk  Profile  Worksheet  for  PIDS:  Other 


Areas  of  Concern 
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Risk  Profile  Worksheet  for  ABC  Systems:  Other 


1 0  Risk  Profile  Worksheet  for  ABC  Systems 
-  Other  Problems 
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Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to 
the  asset?  Mark  these  branches  on  the  tree . 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or 
no  possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 

Ac  cpt  Actor  Outcome 


disclosure 


key  people  taking  a 

temporary  leave  of 
absence  (e.g.,  due  to 
illness,  disability) 


disclosure 


key  people  leaving  the 


organization 

permanently 

(e.g.,  retirement,  other 

opportunities) 


loss,  destruction 


interruption 


disclosure 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable  area? 


v 

I  » 

I  ■- 

£  b 


modification 
loss,  destruction 


interruption 


modification 


|  threats  affecting 

modification  [ 

|  a  third  party  or 

loss,  destruction  [ 

j  ABC  Systems 

interruption  j 

disclosure  [ 

modification  [ 

loss,  destruction 


interruption 
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Mitigate 


OCTAVE-S  V1.0 


1  Other  Problems 

- 1 

Threat  Context 

D 

[ 

^9 

History 

— 

Z 

How  often  has  this  threat 
occurred  in  the  past? 

How  accurate 
are  the  data? 

Very 

Somewhat 

Not  At  All 

disclosure 

times  in 

_  years 

i 

a 

□ 

_aj 

key  people  taking  a 

modification 

times  in 

__  years 

a 

a 

— 

temporary  leave  of 
absence  (e.g.,  due  to 
illness,  disability) 

loss,  destruction 

times  in 

_  years 

a 

a 

a 

interruption 

times  in  ... 

__  years 

a 

□ 

a 

disclosure 

times  in 

_  years 

z 

a 

□ 

ABC 

Systems 

key  people  leaving 

modification 

times  in  _ 

_  years 

Z 

a 

a 

the  organization 
permanently 

(e.g.,  retirement, 
other  opportunities) 

loss,  destruction 

times  in _ 

_  years 

a 

□ 

a 

interruption 

times  in 

years 

Z 

□ 

□ 

. 

disclosure 

times  in  _ 

_  years 

i 

z 

a 

a 

i 

threats  affecting 

modification 

times  in 

_ years 

i 

HE 

a 

a 

] 

q  third  party  or 

loss,  destruction 

times  in 

_ years 

i 

Z 

a 

a 

] 

ABC  Systems 

interruption 

1  times  in _ 5_ 

_ years 

i 

z 

a 

IS] 

] 

disclosure 

times  in 

_ years 

i 

Ql 

a 

a 

] 

modification 

times  in 

_ years 

i 

H 

a 

a 

] 

loss,  destruction 

times  in 

_ years 

i 

z 

a 

a 

] 

interruption 

times  in 

_ years 

i 

z 

□ 

□ 

] 

i 
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Step  16 


Peoole  Taking  a  Temporary  Leave  of  Absence 

Give  examples  of  how  key 
people  taking  a  temporary  leave 
of  absence  could  affect  the 
ability  of  this  person  or  group 
of  people  to  provide  critical 
services,  skills,  and 
knowledge. 

i 

i 

i 

i 

i 

i 

♦ 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

t 

i 

i 

i 

People  Leaving  the  Organization  Permanently 

1 

1 

> 

Give  examples  of  how  key 
people  leaving  the  organization 
permanently  could  affect  the 
ability  of  this  person  or  group 
of  people  to  provide  critical 
services,  skills,  and 
knowledge. 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

• 

i 

i 

i 

i 

i 

» 

i 

Threats  Affecting  a  Third-Party 

Give  examples  of  how  threats 
affecting  a  third  party  or  service 
provider  could  affect  the  ability 
of  that  third  party  or  service 
provider  to  provide  critical 
services,  skills,  and 
knowledge. 

ABC  Systems  configures  and  maintains  all  major  systems  and  the  j 
network  for  MedSite.  If  ABC  Systems  is  unable  to  provide  i 

services  to  MedSite  because  of  threats  to  their  systems  and  ; 

networks,  MedSite's  operations  could  be  affected. 

i 
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Network  Access  Paths  Worksheet 


1 1  Network  Access  Paths  Worksheet 


Steps  17  and  18 
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Step  17 


System  of  Interest 

What  system  or  systems  are  most  closely  related  to  the  critical  asset? 

PIDS  (is  its  own  system  of  interest) 


System  of 
Interest 


Step  18a 


System  of  Interest 

Which  of  the  following  classes  of 
components  are  part  of  the  system 
of  interest? 


El  Servers 

Server  A 

□  Internal  Networks 


El  On-Site  Workstations 
admin,  physician,  treatment  room 

□  Others  (list) 


Access  Points 


Intermediate 
Access  Points 


Step  18b 


Intermediate  Access  Points 

Which  of  the  following  classes  of 
components  are  used  to  transmit 
information  and  applications  from 
the  system  of  interest  to  people? 

Which  classes  of  components  could 
serve  as  intermediate  access 
poin  ts  ?  _ 

El  Internal  Networks 
El  External  Networks 
□  Others  (list) 


Network  Access  Paths  Worksheet 


Note:  When  you  select  a  key  class  of  components,  make  sure  that  you 
also  document  any  relevant  subclasses  or  specific  examples  when 
appropriate. 


Access  Points 


Step  18c 


System  Access  by  People 

From  which  of  the  following 
classes  of  components  can  people 
(e.g.y  users ,  attackers)  access  the 
system  of  interest? 

Consider  access  points  both 
internal  and  external  to  your 
organization  *s  networks . 


E  On-Site  Workstations 


E  Laptops 

admin,  physicians,  IT 

E  PDAs/Wireless  Components 

E  Home/Extemal  Workstations 

physicians,  senior  admin 

□  Others  (list) 


Step  18d 


Data  Storage  Locations 

On  which  classes  of 
components  is  information  from 
the  system  of  interest  stored  for 
backup  purposes? 


E  Storage  Devices 
local  backups,  off-site  tapes 

□  Others  (list) 


Step  18e 


Other  Systems  and  Components 

Which  other  systems  access 
information  or  applications  from  the 
system  of  interest? 

Which  other  classes  of  components 
can  be  used  to  access  critical 
information  or  applications  from  the 
system  of  interest? 


E  E  CbS 


E  FRKS _ 

E  Most  of  the  other  systems 
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Infrastructure  Review  Worksheet 


12  Infrastructure  Review  Worksheets 


Steps  19,  20,  and  21 
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Note 

In  Step  19a, 
mark  the  path  to 
each  class 
selected  in  Steps 
18a-18e. 


Step  19a 


Class 

Which  classes  of  components 
are  related  to  one  or  more 
critical  assets  ? 


(Document  any  relevant 
subclasses  or  specific 
examples  when  appropriate.) 


Step  19b 


Critical  Assets 

Which  critical  assets  are 
related  to  each  class? 


V) 

C 


V) 

u 

6) 

V) 

L. 

£ 

“O 

+— 

£ 

V) 

>* 

L. 

CL 

o 

Cl 

V) 

CL 

CO 

< 

OJ 

00 

</) 

C 

o 

ID 

IT) 


Servers 
Server  A 
Server  B 


Internal  Networks 

All 

✓ 

✓ 

✓ 

On-Site  Workstations 

Admin _ 

Physicians _ _ 

Patient  treatment  rooms 


Laptops 

Admin 

Physicians 

IT 


PDAs/Wireless  Components 

Physicians  _ 

Others 


✓ 

\ 

u 

V 

I 

s 

V 

V 

■/ 

V 

s 

■ 

B 

yf 

yf 

B 

yf 

•/ 

✓ 

✓ 

Step  20 


Responsibility 

Who  is  responsible  for 
maintaining  and  securing 
each  class  of  component? 


ABC  Systems 
ABC  Systems 


ABC  Systems  A  our  IT 


ABC  Systems  A  our  IT 
ABC  Systems  A  our  IT 
ABC  Systems  A  our  IT 


ABC  Systems  A  our  IT 
ABC  Systems  A  our  IT 
ABC  Systems  A  our  IT 


ABC  Systems  A  our  IT 
ABC  Systems  A  our  IT 
ABC  Systems  A  our  IT 
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Step  21 


Protection 

To  what  extent  is  security  How  do  you 

considered  when  configuring  know? 
and  maintaining  each  class  of 
component? 


Notes/Issues 

What  additional  information  do  you  want  to  record? 


Servers 


■BBEBBOO 

Internal  Networks 

1 - 1- — x - 1  □ 

1 - 1 - 1  □ 

1”  I  I  j 

On-Site  Workstations 

1 - |-x - 1  □ 

Laptops 

1 - |-x - 1  □ 

l-X - 1 - 1  □ 

PDAs/Wireless  Components 

1 - |. - XI  □ 

1 - 1 - XI  □  1 

1 - 1 - 1  □ 

IT  docs  some  items  on  these. 


IT  focuses  on  Admin's  workstations. 


IT  does  a  lot  of  extras  on  their  own  PCs. 


No  one  has  paid  attention  to  this. 
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Note 

In  Step  19a , 
mark  the  path  to 
each  class 
selected  in  Steps 
18a-18e. 


Step  19a 


Step  19b 


Class 


Which  classes  of  components 
are  related  to  one  or  more 
critical  assets? 


(Document  any  relevant 
subclasses  or  specific 
examples  when  appropriate .) 


Critical  Assets 

Which  critical  assets  are 
related  to  each  class? 


if) 

a 


V) 

u 

6) 

V) 

L 

£ 

TO 

o 

CO 

4- 

E 

V) 

>■ 

L. 

if) 

U 

CL 

a 

V) 

O 

Cl 

O 

CO 

CL 

< 

CM 

00 

if) 

a 

o 

UJ 

irS 


Other  Systems 


All  other  systems 


✓ 

Storage  Devices 


Local  back-up 


Of f -site  tapes 


✓ 

V 

External  Networks 


All 


■ 

■ 

Home/Extemal  Workstations 


Physicians,  senior  admin. 


✓ 

■ 

■ 

■ 

! 

H 

Other . 


Step  20 


Responsibility 

Who  is  responsible  for 
maintaining  and  securing 
each  class  of  component? 


ABC  Systems  and  our  IT 


ABC  Systems  and  our  IT 
Not  sure 


Unknown 


Individual 
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Other  Systems 


igggi 

WM 

□ 

|B1 

□ 

MmSmBum 

UJ 

■MBMH 

hhhhi 

□ 

1  . 

1 

□ 

m 

□ 

□ 

a 

a 

□ 

a 

a 

Storage  Devices 


□ 

a 

a 

a 

□ 

□ 

a 

a 

□ 

a 

a 

a 

a 

□ 

□ 

□ 

a 

□ 

□ 

a 

□ 

□ 

□ 

a 

□ 

□ 

a 

a 

a 

a 

a 

□ 

□ 

□ 

□ 

Might  be  outsourced  from  ABC  Systems 


Up  to  owner  to  manage 
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Probability  Evaluation  Criteria  Worksheet 


13  Probability  Evaluation  Criteria  Worksheet 


Step  23 
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Step  23 


i 

I.  Think  about  what  constitutes  a  high,  medium,  and  low  likelihood  of  occurrence  for  ; 

threats  to  your  organization ’s  critical  assets.  j 

. . . . v - - - - 

High 

Medium  j 

Time  Between 

Events 

Daily  Weekly  Monthly  Four  Times  Per 

Year 

<  4  Times  j 
Per  Year 

Two  Times  PeF  • 

Vartl-  ! 

1  Cut  , 

Annualized 

Frequency 

365  52  12  4 

3  j 

<4 
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2.  Draw  lines  that  separate  high  from  medium  and  medium  from  low. 

Medium 

Low 

J  One  Time  Per 
j  Year 

<  1  Time  Per 

Year 

Once  Every  Once  Every  Once  Every  10  Once  Every  20  Once  Every  50 

Two  Years  Five  Years  Years  Years  Years 

i  l 

QS  0.2  0.1  0.05  0.02 

<  1 
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Protection  Strategy  Worksheet 


14  Protection  Strategy  Worksheet 


Steps  25,  29 

This  section  includes  an  excerpt  of  the  entire  protection  strategy  for  MedSite.  Two  types  of 
practice  areas  are  included:  the  selected  mitigation  areas  and  a  few  of  the  other  practice  areas  with 
general,  strategic  improvements. 

The  mitigation  areas  reflect  corporate  or  strategic-level  changes  driven  primarily  by  the 
mitigation  plans  for  specific  risks  to  critical  assets.  The  mitigation  areas  are 

•  Security  awareness  and  training 

•  Collaborative  security  management 

•  Monitoring  and  auditing  physical  security 

•  Authentication  and  authorization 

Strategic  level  changes  were  also  identified  for  the  rest  of  the  security  practice  areas.  The  other 
areas  with  strategic  changes  included  here  are  security  policies  and  regulations. 
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14.1  Protection  Strategy  for  Security  Awareness  and 
Training 
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Do  you  want  to  make  any  additional  changes  to  your  training  strategy ! 


Training  Strategy  _ _ 


The  organization  has  a  documented  training  strategy  that  includes  security 
awareness  training  and  security-related  training  for  supported  technologies. 


The  organization  has  an  informal  and  undocumented  training  strategy. 


Step  25  I  Step  29  | 

□  Current 

□  Change 

E  Current 

□  Change 

□  Current 

□  Change 

Step  25:  How  often  is  security  awareness  training  provided? 

Step  29:  Will  any  mitigation  activities  change  how  often  security  awareness  training  is  provided? 

Do  you  want  to  make  any  additional  changes  to  how  often  security  awareness  training  isprovided. 


Security  Awareness  Training 


Periodic  security  awareness  training  is  provided  for  all  employees 
1  time(s')  every  1  years. 

Security  awareness  training  is  provided  for  new  staff  members  as  part  of  their 
orientation  activities. 


The  organization  does  not  provide  security  awareness  training.  Staff  members 
learn  about  security  issues  on  their  own. 


|  Step  25  ^  Step  29  | 

□  Current 

E  Change 

E  Current 

□  Change 

□  Current 

□  Change 

□  Current 

□  Change 

Protection  Strategy  for  Security  Awareness  and  Training 


1.  Security  Awareness  and  Training 


Step  25:  To  what  extent  are  IT  staff  members  required  to  attend  security-related  training? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  security-related  training? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  security-related  training? 


Security-Related  Training  for  Supported  Technologies 


Information  technology  staff  members  are  required  to  attend  security-related  □  Current  □ 

training  for  any  technologies  that  they  support. 

Information  technology  staff  members  can  attend  security-related  training  for  □  Current  IS 

any  technologies  that  they  support  if  they  request  it. 

The  organization  generally  does  not  provide  opportunities  for  information  E  Current  Q 

technology  staff  members  to  attend  security-related  training  for  supported 
technologies.  Information  technology  staff  members  learn  about  security-related 
issues  on  their  own. 


Step  25  H 

Step  29  | 

□  Current 

□  Change 

□  Current 

E  Change 

E  Current 

□  Change 

□  Current  □  Change 


Step  25:  How  formal  is  your  organization 's  mechanism  for  providing  periodic  security  updates? 

Step  29:  Will  any  mitigation  activities  change  your  mechanism  for  providing  periodic  security  updates? 

Do  you  want  to  make  any  additional  changes  to  your  mechanism  for  providing  periodic  security  updates? 
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1.  Security  Awareness  and  Training  Stoplight  Status  R 

Step  25:  How  formal  is  your  organization’s  mechanism  for  verifying  that  staff  receives  training? 

Step  29:  Will  any  mitigation  activities  change  your  mechanism  for  verifying  that  staff  receives  training? 

Do  you  want  to  make  any  additional  changes  to  your  mechanism  for  verifying  that  staff  receives  training? 


Training  Verification 


The  organization  has  formal  mechanisms  for  tracking  and  verifying  that  staff  □  Current  □  Change 

members  receive  appropriate  security-related  training. 

The  organization  has  informal  mechanisms  for  tracking  and  verifying  that  staff  □  Current  13  Change 

members  receive  appropriate  security-related  training. 


The  organization  has  no  mechanisms  for  tracking  and  verifying  that  staff 
members  receive  appropriate  security-related  training. 


Step  25  m 

Step  29  1 

□  Current 

□  Change 

□  Current 

13  Change 

El  Current 

□  Change 

□  Current 

□  Change 

Step  25:  What  additional  characteristic  of  your  current  approach  to  security  awareness  and  training  do  you  want  to 
record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic?  __ 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 
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14.2  Protection  Strategy  for  Collaborative  Security 
Management 
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5.  Collaborative  Security  Management 


Stoplight  Status 


R 


Step  25:  How  formal  are  your  organization ’s  policies  and  procedures  for  protecting  information  when  working  with 

collaborators  and  partners? 

Step  29:  Will  any  mitigation  activities  change  the  policies  and  procedures  for  protecting  information  when  working  with 

collaborators  and  partners?  . 

Do  you  want  to  make  any  additional  changes  to  the  policies  and  procedures  for  protecting  information  when 

working  with  collaborators  and  partners? 


Collaborators  and  Partners 


The  organization  has  documented  policies  and  procedures  for  protecting 
information  when  working  with  collaborators  and  partners. 


Step  25 


Step  29 


The  organization  has  documented  policies  and  procedures  for  protecting  certain 
information  when  working  with  collaborators  and  partners.  The  organization  has 
informal  and  undocumented  policies  and  procedures  for  protecting  other  types  of 
information  when  working  with  collaborators  and  partners. 

The  organization  has  informal  and  undocumented  policies  and  procedures  for 
protecting  information  when  working  with  collaborators  and  partners. 


□  Current  □  Change 


□  Current  □  Change 


IS1  Current  □  Change 


□  Current  □  Change 


Step  25:  How  formal  are  your  organization 's  policies  and  procedures  for  protecting  information  when  working  with 
contractors  and  subcontractors  ? 

Step  29:  Will  any  mitigation  activities  change  the  policies  and  procedures  for  protecting  information  when  working  with 
contractors  and  subcontractors? 

Do  you  want  to  make  any  additional  changes  to  the  policies  and  procedures  for  protecting  information  when 
working  with  contractors  and  subcontractors? 


Contractors  and  Subcontractors _ 


The  organization  has  documented  policies  and  procedures  for  protecting 
information  when  working  with  contractors  and  subcontractors. 

The  organization  has  documented  policies  and  procedures  for  protecting  certain 
information  when  working  with  contractors  and  subcontractors.  The  organization 
has  informal  and  undocumented  policies  and  procedures  for  protecting  other 
types  of  information  when  working  with  contractors  and  subcontractors. 

The  organization  has  informal  and  undocumented  policies  and  procedures  for 
protecting  information  when  working  with  contractors  and  subcontractors. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


0  Current  □  Change 


□  Current  □  Change 
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5.  Collaborative  Security  Management 


Step  25:  How  formal  are  your  organization 's  policies  and  procedures  for  protecting  information  when  working  with  service 
providers? 

Step  29:  Will  any  mitigation  activities  change  the  policies  and  procedures  for  protecting  information  when  working  with 
service  providers? 

Do  you  want  to  make  any  additional  changes  to  the  policies  and  procedures  for  protecting  information  when 
working  with  service  providers? 


Service  Providers 


■HHH 

Step  25 

■ 

Step  29 

The  organization  has  documented  policies  and  procedures  for  protecting 
information  when  working  with  service  providers. 

□  Current 

□  Change 

The  organization  has  documented  policies  and  procedures  for  protecting  certain 
information  when  working  with  service  providers.  The  organization  has  informal 
and  undocumented  policies  and  procedures  for  protecting  other  types  of 
information  when  working  with  service  providers. 

□  Current 

□  Change 

The  organization  has  informal  and  undocumented  policies  and  procedures  for 
protecting  information  when  working  with  service  providers. 

El  Current 

□  Change 

□  Current 

□  Change 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  information  protection  requirements  to  third 
parties? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  information  protection  requirements 
to  third  parties? 

Do  you  want  to  make  any  additional  changes  to  how  your  organization  communicates  its  information  protection 
requirements  to  third  parties? 


Requirements 


iHIHH 

Step  25 

■ 

Step  29 

The  organization  documents  information  protection  requirements  and  explicitly 
communicates  them  to  all  appropriate  third  parties. 

□  Current 

□  Change 

The  organization  informally  communicates  information  protection  requirements 
to  all  appropriate  third  parties.  Facilities  Management  and  ABC  Systems. 

□  Current 

El  Change 

The  organization  does  not  communicate  information  protection  requirements  to 
third  parties. 

El  Current 

□  Change 

□  Current 

□  Change 
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5.  Collaborative  Security  Management 


Stoplight  Status  R 


Step  25:  To  what  extent  does  your  organization  verify  that  third  parties  are  addressing  information  protection 
requirements? 

Step  29:  Will  any  mitigation  activities  change  verification  mechanisms  ? 


Do  you  want  to  make  any  additional  changes  to  verification  mechanisms? 


Verification 


Step  25 


Step  29 


The  organization  has  formal  mechanisms  for  verifying  that  all  third-party  □  Current  □  Change 

organizations,  outsourced  security  services,  mechanisms,  and  technologies  meet 

its  needs  and  requirements.  _  _ 

Facilities  Management  and  ABC  Systems  a  current  El  Change 

The  organization  has  informal  mechanisms  for  verifying  that  all  third  party 


itsneeds  and  requirements. - - - - - - - - - - - - - . — - - - - 

The  organization  has  no  mechanisms  for  verifying  that  all  third-party  El  Current  □  Change 

organizations,  outsourced  security  services,  mechanisms,  and  technologies  meet 
its  needs  and  requirements. 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  security-awareness  training  program  include  information  about  collaborative  security 
management? 

Step  29:  Will  any  mitigation  activities  change  the  content  of  your  security  awareness  training  to  include  information  about 

collaborative  security  management?  .  . 

Do  you  want  to  make  any  additional  changes  to  the  content  of  your  security  awareness  training . 


Staff  Awareness  _ 

The  organization’s  security-awareness  training  program  includes  information 
about  the  organization’s  collaborative  security  management  policies  and 

procedures.  This  training  is  provided  for  all  employees - time(s)  every 

_ years. 

The  organization’s  security-awareness  training  program  includes  information 
about  the  organization’s  collaborative  security  management  policies  and 
procedures.  This  training  is  provided  for  new  staff  members  as  part  of  their 
orientation  activities. 

The  organization’s  security-awareness  training  program  does  not  include 
information  about  the  organization’s  collaborative  security  management  policies 
and  procedures.  Staff  members  learn  about  collaborative  security  management 
policies  and  procedures  on  their  own. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


E  Current  □  Change 


□  Current  □  Change 


Protection  Strategy  for  Collaborative  Security  Management 


5.  Collaborative  Security  Management 

Step  25:  What  additional  characteristic  of  your  current  approach  to  collaborative  security  management  do  you  want  to 
record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic? 
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14.3  Protection  Strategy  for  Monitoring  and  Auditing 
Physical  Security 
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8.  Monitoring  and  Auditing  Physical  Security  Stoplight  Status  |  R 

Step  25:  Who  is  currently  responsible  for  monitoring  and  auditing  physical  security >? 

Step  29:  Will  any  mitigation  activities  change  responsibility'  for  monitoring  and  auditing  physical  security? 

Do  you  want  to  make  any  additional  changes  affecting  responsibility  for  monitoring  and  auditing  physical  security. 


Responsibility 


Keeping  maintenance  records  to  document  repairs  and  modifications  to  IT 
hardware 

Monitoring  physical  access  to  controlled  IT  hardware 
Monitoring  physical  access  to  controlled  IT  software  media 
Monitoring  physical  access  to  restricted  work  areas 
Reviewing  monitoring  records  on  a  periodic  basis 
Investigating  and  addressing  any  unusual  activity  that  is  identified 


Step  25 


Step  29 


E  Current  □  Change 
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a 

a 

E 

□ 

□ 

□ 

a 

□ 

E 

a 

□ 

a 

a 

□  ' 

E 

a 

a 

a 

a 

□ 

E 

□ 

□ 

□ 

a 

□ 

E 

□ 

a 

a 

a 

a 

□ 

a 

□ 

a 

a 

a 

□ 

□ 

□ 

a 

a 

a 

a 

a 

□ 

a 

a 

□ 

a 

□ 
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Protection  Strategy  for  Monitoring  and  Auditing  Physical  Security 


8.  Monitoring  and  Auditing  Physical  Security 


Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented? 


Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  procedures  are  documented  for  this  area? 


Procedures 


Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 


The  organization  has  formally  documented  plans  and  procedures  for 
monitoring  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media. 

□  Current 

□  Change 

The  organization  has  some  formally  documented  policies  and  procedures  for 
monitoring  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media.  Some  policies  and  procedures  in  this  area  are 
informal  and  undocumented. 

□  Current 

E  Change 

The  organization  has  informal  and  undocumented  plans  and  procedures  for 
monitoring  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media. 

El  Current 

□  Change 

□  Current 

□  Change 

Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 


Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  training  in  this  area? 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 

Designated  staff  members  are  required  to  attend  training  for  monitoring 
physical  access  to  the  building  and  premises,  work  areas,  IT  hardware,  and 
software  media. 

□  Current 

□  Change 

Designated  staff  members  can  attend  training  for  monitoring  physical  access 
to  the  building  and  premises,  work  areas,  IT  hardware,  and  software  media  if 
they  request  it. 

□  Current 

□  Change 

The  organization  generally  does  not  provide  opportunities  for  designated  staff 
members  to  attend  training  for  monitoring  physical  access  to  the  building  and 
premisesj-work  areas,  IT  hardware,  and  software  media.  Designated  staff 
members  learn  about  monitoring  physical  access  on  their  own. 

El  Current 

□  Change 

□  Current 

□  Change 

■■■I 

Step  25 

■ 

Step  29 
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8.  Monitoring  and  Auditing  Physical  Security 
Third  Party  A:  Facilities  Management _ 


Stoplight  Status  R 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 
Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

_  •*  •  >  f  _ -  I _ ..... _ _ ... /rt  thi c  third  nnrt\)  ? 


y.  KViii  UtJtVIUCJ  o - „ - -  j 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party 


■HHI 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization’s  requirements  for  monitoring  physical  security  are  formally 
communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 

□  Current 

□  Change 

The  organization’s  requirements  for  monitoring  physical  security  are 
informally  communicated  to  all  contractors  and  service  providers  that  monitor 
physical  access  to  the  building  and  premises,  work  areas,  IT  hardware,  and 
software  media. 

□  Current 

El  Change 

The  organization’s  requirements  for  monitoring  physical  security  are  not 
communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
medlar 

El  Current 

□  Change 

□  Current 

□  Change 

Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  arehein^net? 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization  formally  verifies  that  contractors  and  service  providers  have 
met  the  requirements  for  monitoring  physical  security. 

□  Current 

□  Change 

The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  monitoring  physical  security. 

□  Current 

El  Change 

The  organization  does  not  verify  that  contractors  and  service  providers  have 
met  the  requirements  for  monitoring  physical  security. 

El  Current 

□  Change 

□  Current 

□  Change 

■H 

Step  25 

■ 

Step  29 
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Third  Party  B:. 


8.  Monitoring  and  Auditing  Physical  Security 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 


Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 
Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Collaborative  Issues  | 

Step  25  1^^ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area:  | 

The  organization’s  requirements  for  monitoring  physical  security  are  formally 
communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 

□  Current 

□  Change 

The  organization’s  requirements  for  monitoring  physical  security  are 
informally  communicated  to  all  contractors  and  service  providers  that  monitor 
physical  access  to  the  building  and  premises,  work  areas,  IT  hardware,  and 
software  media. 

□  Current 

□  Change 

The  organization’s  requirements  for  monitoring  physical  security  are  not 

□  Current 

□  Change 

communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met  ?  _ 


Step  25  H  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization  formally  verifies  that  contractors  and  service  providers  have 
met  the  requirements  for  monitoring  physical  security. 

□  Current 

□  Change 

The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  monitoring  physical  security. 

□  Current 

□  Change 

The  organization  does  not  verify  that  contractors  and  service  providers  have 
met  the  requirements  for  monitoring  physical  security. 

□  Current 

□  Change 

□  Current 

□  Change 
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14.4  Protection  Strategy  for  Authentication  and 
Authorization 
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Stoplight  Status  R 


11.  Authentication  and  Authorization  Stoplight  statu 

Step  25:  Who  is  currently  responsible  for  authentication  and  authorization? 

Step  29:  Will  any  mitigation  activities  change  responsibility  for  authentication  and  authorization?  _ 

Do  you  want  to  make  any  additional  changes  affecting  responsibility  for  authentication  and  authorization? 


Responsibility 


Implementing  access  controls  (e.g.,  file  permissions,  network 
configuration)  to  restrict  user  access  to  information,  sensitive  systems, 
specific  applications  and  services,  and  network  connections 

Implementing  user  authentication  (e.g.,  passwords,  biometrics)  to  restrict 
user  access  to  information,  sensitive  systems,  specific  applications  and 
services,  and  network  connections 

Establishing  and  terminating  access  to  systems  and  information  for  both 
individuals  and  groups 


Step  25 


El  Current 


Step  29 


El  Change 
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11.  Authentication  and  Authorization 

Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 

Do  you  want  to  make  any  additional  changes  to  how  procedures  are  documented  for  this  area?  _ 


Procedures  _ 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 

The  organization  has  formally  documented  authorization  and  authentication 
procedures  for  restricting  user  access  to  information,  sensitive  systems, 
specific  applications  and  services,  and  network  connections. 

The  organization  has  some  formally  documented  authorization  and 
authentication  procedures  for  restricting  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections.  Some 
procedures  in  this  area  are  informal  and  undocumented. 

The  organization  has  informal  and  undocumented  authorization  and 
authentication  procedures  for  restricting  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  El  Change 


El  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  training  in  this  area? 


Step  25 


Step  29 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area:  1 

Information  technology  staff  members  are  required  to  attend  training  for 
implementing  technological  measures  to  restrict  user  access  to  information, 
sensitive  systems,  specific  applications  and  services,  and  network 
connections. 

□  Current 

□  Change 

Information  technology  staff  members  can  attend  training  for  implementing 
technological  measures  to  restrict  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections  if  they 
request  it. 

□  Current 

ED  Change 

The  organization  generally  does  not  provide  opportunities  for  information 
technology  staff  members  to  attend  training  for  implementing  technological 
measures  to  restrict  user  access  to  information,  sensitive  systems,  specific 
applications  and  services,  and  network  connections.  Information  technology 
staff  members  learn  about  authentication  and  authorization  on  their  own. 

ED  Current 

□  Change 

□  Current 

□  Change 
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11.  Authentication  and  Authorization 
Third  Party  A:  ABC  Systems _ 


Stoplight  Status  R 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

'  Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party  ?  _ 


Collaborative  Issues  _ 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area:  _ _ 


The  organization’s  requirements  for  controlling  access  to  systems  and 
information  are  formally  communicated  to  all  contractors  and  service 
providers  that  provide  authentication  and  authorization  services. 

The  organization’s  requirements  for  controlling  access  to  systems  and 
information  are  informally  communicated  .to  all  contractors  and  service 
providers  that  monitor  systems  and  networks. 

The  organization’s  requirements  for  controlling  access  to  systems  and 
information  are  not  communicated  to  all  contractors  and  service  providers 
that  monitor  systems  and  networks. 


Step  25  Step  29 

□  Current 

□  Change 

□  Current 

E  Change 

El  Current 

□  Change 

□  Current 

□  Change 

Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 
Do  you  want  to  make  any  additional  changes  to  you  verify  that  requirements  are  being  met?. 


Verification 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area 

The  organization  formally  verifies  that  contractors  and  service  providers  ha 
met  the  requirements  for  authentication  and  authorization. 

The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  authentication  and  authorization. 

The  organization  does  not  verify  that  contractors  and  service  providers  hav< 
met  the  requirements  for  authentication  and  authorization. 


Step  25  Step  29  ^ 

□  Current 

□  Change 

□  Current 

E  Change 

El  Current 

□  Change 

Protection  Strategy  for  Authentication  and  Authorization 


11.  Authentication  and  Authorization 

Third  Party  B: _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Collaborative  Issues 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for this  area _ _ 

The  organization’s  requirements  for  controlling  access  to  systems  and  □  Current  □  Change 

information  are  formally  communicated  to  all  contractors  and  service 
providers  that  provide  authentication  and  authorization  services. 

The  organization’s  requirements  for  controlling  access  to  systems  and  □  Current  □  Change 

information  are  informally  communicated  to  all  contractors  and  service 
providers  that  monitor  systems  and  networks. 

The  organization’s  requirements  for  controlling  access  to  systems  and  □  Current  □  Change 

information  are  not  communicated  to  all  contractors  and  service  providers 
that  monitor  systems  and  networks. 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 
Do  you  want  to  make  any  additional  changes  to  you  verify  that  requirements  are  being  met? 


Verification  | 

Step  25  m 

Step  29  m 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization  formally  verifies  that  contractors  and  service  providers  have 
met  the  requirements  for  authentication  and  authorization. 

□  Current 

□  Change 

The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  authentication  and  authorization. 

□  Current 

□  Change 

The  organization  does  not  verify  that  contractors  and  service  providers  have 
met  the  requirements  for  authentication  and  authorization. 

□  Current 

□  Change 

□  Current 

□  Change 
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14.5  Protection  Strategy  for  Security  Policies  and 
Regulations 
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4.  Security  Policies  and  Regulations 


Stoplight  Status  y  j 


Step  25:  To  what  extent  are  your  organization 's  security-related  policies  formally  documented? 

Step  29 •  Will  any  mitigation  activities  change  the  extent  to  which  your  security-related  policies  arefonnally  documented? 
Do  you  want  to  make  any  additional  changes  to  the  extent  to  which  your  security-related  polices  are  formally 
documented?  _ _ 


Documented  Policies  _ 


The  organization  has  a  comprehensive  set  of  formally  documented  security-  □  Current  □  Change 

related  policies.  __  _ 

The  organization  has  a  partial  set  of  formally  documented  security-related  El  Current  □  Change 

policies.  Some  security-related  policies  are  informal  and  undocumented. 

The  organization’s  security-related  policies  are  informal  and  undocumented.  □  Current  □  Change 


Step  25  ^  Step  29  | 

□  Current 

□  Change 

13  Current 

□  Change 

□  Current 

□  Change 

□  Current 

□  Change 

Step  25:  How  formal  is  your  organization 's  mechanism  for  creating  and  updating  its  security-related  policies? 

Step  29:  Will  any  mitigation  activities  change  how  your  security-related  policies  are  created  and  updated? 

Do  you  want  to  make  any  additional  changes  to  how  your  security-related  policies  arecreatedand  updated. 


Policy  Management 


The  organization  has  a  formal  mechanism  for  creating  and  updating  its  securit; 
related  policies. 

The  organization  has  a  formal  mechanism  for  creating  its  security-related 
policies.  The  organization  has  an  informal  and  undocumented  mechanism  for 
updating  its  security-related  policies. 

The  organization  has  an  informal  and  undocumented  mechanism  for  creating  < 
updating  its  security-related  policies. 


Step  25  m  Step  29  | 

□  Current 

□  Change 

□  Current 

□  Change 

El  Current 

□  Change 

□  Current 

□  Change 

Protection  Strategy  for  Security  Policies  and  Regulations 


4.  Security  Policies  and  Regulations 

Step  25:  How  formal  are  your  organization 's  procedures  for  enforcing  its  security-related  policies? 

Step  29:  Will  any  mitigation  activities  change  how  security-related  policies  are  enforced? 

Do  you  want  to  make  any  additional  changes  to  how  security-related  policies  are  enforced? 


Policy  Enforcement 


Step  25 


Step  29 


The  organization  has  formal  procedures  for  enforcing  its  security-related 
policies.  Enforcement  procedures  are  consistently  followed. 

□  Current 

□  Change 

The  organization  has  formal  procedures  for  enforcing  its  security-related 
policies.  Enforcement  procedures  are  inconsistently  followed. 

□  Current 

E  Change 

The  organization  has  informal  and  undocumented  procedures  for  enforcing  its 
security-related  policies. 

El  Current 

□  Change 

□  Current 

□  Change 

Step  25:  To  what  extent  does  your  security-awareness  training  program  include  information  about  the  organization ’s 
security  policies  and  regulations? 

Step  29:  Will  any  mitigation  activities  change  the  content  of  your  security  awareness  training  to  include  security  policy  and 
regulation  information? 

Do  you  want  to  make  any  additional  changes  to  the  content  of  your  security  awareness  training?  _ 


Staff  Awareness 


The  organization’s  security-awareness  training  program  includes  information  □  Current  El  Change 

about  the  organization’s  security  policies  and  regulations.  This  training  is 
provided  for  all  employees  1  time(s)  every _ 1 - years. 

The  organization’s  security-awareness  training  program  includes  information  □  Current  □  Change 

about  the  organization’s  security  policies  and  regulations.  This  training  is 
provided  for  new  staff  members  as  part  of  their  orientation  activities. 


The  organization’s  security-awareness  training  program  does  not  include 
information  about  the  organization’s  security  policies  and  regulations.  Staff 
members  learn  about  security  policies  and  regulations  on  their  own. 


Step  25  H 

Step  29  Jj 

□  Current 

E  Change 

□  Current 

□  Change 

El  Current 

□  Change 

□  Current 

□  Change 
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4.  Security  Policies  and  Regulations 


Stoplight  Status 


y 


Step  25:  How  formal  are  your  organization *s  procedures  for  complying  with  security-related  policies  and  regulations? 

Step  29:  Will  any  mitigation  activities  change  how. your  organization  complies  with  security-related  policies  and 

regulations?  ......  . 

Do  you  want  to  make  any  additional  changes  to  how  your  organization  complies  with  security-related  policies  and 

regulations?  _ 


Mill 

Step  25 

■ 

Step  29 

The  organization  has  formal  procedures  for  complying  with  information  security 
policies,  applicable  laws  and  regulations,  and  insurance  requirements. 

□  Current 

□  Change 

The  organization  has  formal  procedures  for  complying  with  certain  information 
security  policies,  applicable  laws  and  regulations,  and  insurance  requirements. 
Some  procedures  in  this  area  are  informal  and  undocumented. 

□  Current 

E  Change 

The  organization  has  informal  and  undocumented  procedures  for  complying  with 
information  security  policies,  applicable  laws  and  regulations,  and  insurance 
requirements. 

E>D  Current 

□  Change 

□  Current 

□  Change 

Step  25:  What  additional  characteristic  of  your  current  approach  to  security  policies  and  regulations  do  you  want  to 
record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic ? 


Step  25  Step  29 


□  Current 

□  Change 

□  Current 

□  Change 

□  Current 

□  Change 
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Mitigation  Plan  Worksheet 


1 5  Mitigation  Plan  Worksheet 


Step  28 
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Mitigation  Area:  1  Security  Awareness  and  Training. 


Step  28 


Mitigation  Activity 

Rationale 

Which  mitigation  activities  are  you  going  to  implement  in  this 
security  practice  area? 

Why  did  you  select  each  activity? 

Provide  periodic  security  awareness  training  for  all 
employees  once  a  year. 

Note:  This  will  change  MedSite's  protection  strategy. 

MedSite's  current  policy  is  to  provide  awareness 
training  for  new  employees  only.  This  is 
inadequate.  Security  awareness  training  should  be 
provided  on  a  periodic  basis. 

Enable  IT  staff  members  to  attend  security-related 
training  for  any  technologies  that  they  support. 

The  security  practices  survey  indicated  that 
there  is  a  lack  of  training  for  IT  staff  at 

MedSite. 

The  manager  in  each  department  will  keep  a  list  of 
people  who  have  received  security  awareness  training 
and  when  they  received  it. 

We  must  set  up  a  tracking  mechanism  if  we 
intend  to  improve  our  training  related  to  security. 

Mitigation  Plan  Worksheet 


Mitigation  Responsibility 

Additional  Support 

Who  needs  to  be  involved  in  implementing  each  activity? 
Why? 

What  additional  support  will  be  needed  when 
implementing  each  activity  (e.g.,  funding,  commitment  of 
staff,  sponsorship)? 

MedSite's  senior  management  team  and  the 
training  department  manager 

Increasing  the  frequency  of  security  awareness 
training  requires  commitment  and  funding  from 
senior  management.  It  will  also  require  a 
commitment  from  MedSite's  Training 

Department. 

MedSite's  IT  manager  must  take  responsibility 
for  implementing  this  mitigation  activity. 

MedSite's  senior  managers  must  approve  and  find 
funding  for  this  activity.  MedSite's  CIO  needs  to 
sponsor  implementation  of  this  activity. 

The  manager  in  each  MedSite  department 

Each  department  manager  must  participate  in  this 
activity.  Senior  managers  need  to  make  this  a 
requirement  for  it  to  work. 
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Mitigation  Area:  5.  Collaborative  Security  Management. 


Mitigation  Activity 

Rationale 

Which  mitigation  activities  are  you  going  to  implement  in  this 
security  practice  area? 

Why  did  you  select  each  activity? 

Designate  an  IT  staff  member  as  point  of  contact  to 
communicate  our  requirements  for  protecting  PIDS 
information  to  ABC  Systems. 

Designate  staff  member  from  the  Maintenance 
Department  to  communicate  our  physical  security 
requirements  for  building  security  to  the  Facilities 
Management  Group. 

Wc  arc  currently  doing  nothing  with  respect  to 
communicating  security  requirements  to  ABC 
Systems  and  the  Facilities  Management  Group. 
Establishing  a  point  of  contact  for  each 
organization  should  improve  communication  of  our 
requirements. 

Note:  This  will  change  MedSite's  protection  strategy. 

The  IT  point  of  contact  will  verify  that  requirements 
for  protecting  PIDS  information  are  met  by  ABC 
Systems. 

The  Maintenance  Department  point  of  contact  will 
verify  that  requirements  for  physical  security  are  met 
by  the  Facilities  Management  Group  for  the  building. 

If  we  are  establishing  a  means  to  communicate 
our  requirements  to  ABC  Systems  and  the 

Facilities  Management  Group,  then  we  need  the 
points  of  contact  to  make  sure  that  those 
requirements  have  been  met. 

Note:  This  will  change  MedSite's  protection  strategy. 

• 

Contract  with  ABC  Systems  to  send  security  bulletins 
to  MedSite's  IT  point  of  contact,  who  will  forward  the 
bulletins  to  MedSite's  staff. 

MedSite’s  staff  is  not  receiving  information 
about  security  problems,  such  as  viruses. 
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Mitigation  Plan  Worksheet 


Mitigation  Responsibility 

Additional  Support 

Who  needs  to  be  involved  in  implementing  each  activity >? 
Why? 

What  additional  support  will  be  needed  when 
implementing  each  activity  (e.g.,  funding,  commitment  of 
staff,  sponsorship)? 

. 

TBD  -  Responsibility  must  be  assigned  by 

MedSite's  CIO  and  the  manager  of  the 

Maintenance  Department. 

MedSite's  senior  management  team  must  sponsor 
this  activity.  The  CIO  and  manager  of  the 
Maintenance  Department  must  assign  the  points 
of  contact. 

TBD  -  A  point  of  contact  must  be  assigned  to 
work  with  ABC  Systems.  A  point  of  contact  must 
be  assigned  to  work  with  the  Facilities 

Management  Group. 

MedSite's  senior  management  team  must  sponsor 
this  activity.  The  CIO  and  manager  of  the 
Maintenance  Department  must  assign  the  points 
of  contact. 

TBD  -  A  point  of  contact  must  be  assigned  to 
work  with  ABC  Systems. 

MedSite's  senior  management  team  must  sponsor 
this  activity.  The  CIO  must  assign  the  point  of 
contact. 
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Mitigation  Area:  8.  Monitoring  ond  Auditing  Physical  Security. 


Step  28 


Mitigation  Activity 


Rationale 


Which  mitigation  activities  are  you  going  to  implement  in  this 
security  practice  area? 


Why  did  you  select  each  activity? 


Document  formal  procedures  for  monitoring  physical 
access  to  all  XT  hardware  and  software  media. 


Note:  This  will  change  MedSite's  protection  strategy. 


Some  staff  members  from  MedSite's  IT 
department  informally  monitor  the  physical 
security  of  IT  hardware  and  software. 
Formalizing  the  procedures  would  help  to  ensure 
that  they  are  consistently  applied  by  all  IT  staff 
members. 


Assign  a  point  of  contact  from  MedSite  to  work  with 
the  Facilities  Management  Group  to  monitor  physical 
access  to  the  building  and  premises.  The  point  of 
contact  will  be  responsible  for  communicating 
MedSite's  requirements  for  monitoring  physical 
security  and  for  verifying  that  the  requirements  have 
been  met. 

Note:  This  will  change  MedSite's  protection  strategy. 


Responsibility  for  monitoring  and  auditing  physical 
security  is  assigned  to  the  Facilities  Management 
Group  and  MedSite.  Activities  are  not 
coordinated  among  the  two  organizations. 
Establishing  points  of  contact  at  MedSite  to  work 
with  staff  from  the  Facilities  Management  Group 
should  improve  communication  of  our 
requirements  and  improve  how  physical  security  is 
managed. 
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Mitigation  Plan  Worksheet 


Mitigation  Responsibility 

Additional  Support 

Who  needs  to  be  involved  in  implementing  each  activity  ? 
Why? 

What  additional  support  will  be  needed  when 
implementing  each  activity  (e.g.,  funding,  commitment  of 
staff,  sponsorship)? 

TBD  -  A  small  team  to  document  the  procedures 
must  be  assigned  by  MedSite’s  CIO  and/or  IT 
manager. 

MedSite's  CIO  must  sponsor  this  activity  and 
assign  a  small  team  to  document  the  procedures. 

TBD  -  A  point  of  contact  must  be  assigned  to 
work  with  Facilities  Management  Group. 

MedSite’s  senior  management  team  must  sponsor 
this  activity.  The  manager  of  the  Maintenance 
Department  must  assign  the  points  of  contact. 
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Mitigation  Area:  11.  Authentication  and  Authorization 


Step  28 


Mitigation  Activity _ _ 

Which  mitigation  activities  are  you  going  to  implement  in  this 
security  practice  area? 

Assign  joint  responsibility  for  the  following  to 
MedSite  and  ABC  Systems. 

-  implementing  access  controls  for  PIDS 

-  implementing  user  authentication  for  PIDS 


Rationale 

Why  did  you  select  each  activity? 


People  from  MedSite's  IT  department  must 
participate  in  controlling  access  to  PIDS.  Staff 
at  ABC  Systems  do  not  know  who  should  have 
legitimate  access  to  what. 


Note:  This  will  change  MedSite's  protection  strategy. 


.  . . . . — . - - - - - 

Document  procedures  for  controlling  access  to  PIDS. 

Note:  This  will  change  MedSite’s  protection  strategy. 

Restricting  user  access  is  currently  done  in  an  ad 
hoc  manner.  MedSite's  IT  department  must 
develop  formalized  procedures  for  restricting 
user  access  to  ensure  that  they  are  consistently 
applied  by  all  IT  staff  members.  Procedures  for 
implementing  access  controls  must  specify  how  to 
work  with  staff  from  ABC  Systems. 

Assign  a  point  of  contact  from  MedSite  to  work  with 
ABC  Systems  to  control  access  to  PIDS.  The  point  of 
mn+nr+  will  he  responsible  for  communicatinq 

MedSite’s  requirements  for  controlling  access  to  PIDS 
and  for  verifvinq  that  the  requirements  have  been 
met. 

Note:  This  will  change  MedSite's  protection  strategy. 

We  are  currently  doing  nothing  with  respect  to 
communicating  requirements  to  ABC  Systems  for 
controlling  access  to  information  and  systems. 
Establishing  a  point  of  contact  from  MedSite’s  IT 
department  should  improve  communication  of  our 
requirements. 

Mitigation  Plan  Worksheet 


Mitigation  Responsibility 

Additional  Support 

Who  needs  to  be  involved  in  implementing  each  activity? 
Why? 

What  additional  support  will  be  needed  when 
implementing  each  activity  (e.g.,  funding,  commitment  of 
staff,  sponsorship)? 

TBD  -  A  point  of  contact  must  be  assigned  to 
work  with  ABC  Systems. 

MedSite's  senior  management  team  must  sponsor 
this  activity.  The  CIO  must  assign  staff  to  work 
with  ABC  Systems. 

TBD  -  A  small  team  to  document  the  procedures 
must  be  assigned  by  MedSite’s  CIO  and/or  IT 
manager.  The  team  should  include  representation 
from  the  IT  department  and  the  point  of  contact 
for  ABC  Systems. 

MedSite's  senior  management  team  must  sponsor 
this  activity.  MedSite's  CIO  must  sponsor  this 
activity  and  assign  a  small  team  to  document  the 
procedures. 

TBD  -  A  point  of  contact  must  be  assigned  to 
work  with  ABC  Systems. 

MedSite’s  senior  management  team  must  sponsor 
this  activity.  The  CIO  must  assign  the  point  of 
contact. 
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Step  28 


Mitigation  Activity  _ _ _ j  Rationale _ _ 

Which  mitigation  activities  are  you  going  to  implement  in  this  j  Why  did  you  select  each  activity? 
security  practice  area ?  I 


Check  all  PIDS  workstations  in  treatment  rooms  to 
ensure  that  access  to  those  workstations  automatically 
times  out  after  a  designated  period  of  time. 


Too  many  people,  both  staff  and  patients,  have 
physical  access  to  PIDS  from  workstations  in 
treatment  rooms.  Unauthorized  people  could  use 
this  access  to  view  a  patient's  medical  records 
deliberately.  Or  a  patient  could  accidentally  see 
another  patient's  medical  records.  Privacy 
regulations  makes  this  an  important  issue. 


Mitigation  Plan  Worksheet 


Mitigation  Responsibility 

Additional  Support 

Who  needs  to  be  involved  in  implementing  each  activity? 
Why? 

What  additional  support  will  be  needed  when 
implementing  each  activity  (e.g.,  funding,  commitment  of 
staff,  sponsorship)? 

TBD  -  MedSite's  CIO  and/or  IT  manager  will 
identify  the  IT  staff  who  will  implement  this 
activity.  Designated  staff  will  have  to  work  with 
staff  from  ABC  Systems  to  set  automatic 
timeouts. 

MedSite's  senior  management  team  must  sponsor 
this  activity.  MedSite's  CIO  must  sponsor  this 
activity  and  assign  a  staff  to  set  automatic 
timeouts. 
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Mitigation  Area:  4.  Security  Policies  and  Regulations, 


Step  28 


Mitigation  Activity 

Rationale 

Which  mitigation  activities  are  you  going  to  implement  in  this 
security  practice  area? 

Why  did  you  select  each  activity? 

Create  procedures  for  complying  with  HIPAA  data 
security  regulations. 

Note:  This  will  change  MedSite's  protection  strategy. 

MedSite  has  two  years  in  which  to  be  in 
compliance  with  the  HIPAA  data  security 
requirements. 

Note:  This  activity  is  driven  by  the  regulations 
rather  than  any  specif  ic  risk. 

Include  information  about  MedSite's  security-related 
policies  and  procedures  in  the  new  security  awareness 
training. 

Note:  This  will  change  MedSite's  protection  strategy. 

Few  staff  members  are  aware  of  or  understand 
MedSite's  security-related  policies.  This 
information  must  be  featured  in  awareness 
training. 

Note:  This  activity  is  driven  by  general  concerns 
rather  than  any  specif  ic  risk. 

Procedures  for  enforcing  MedSite's  security-related 
policies  must  be  created. 

Note:  This  will  change  MedSite's  protection  strategy. 

People's  behaviors  related  to  security  will  only 
change  if  they  understand  that  management 
strictly  enforces  MedSite's  security  policies. 

Note:  This  activity  is  driven  by  general  concerns 
rather  than  any  specif  ic  risk. 
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Mitigation  Responsibility 

Additional  Support 

Who  needs  to  be  involved  in  implementing  each  activity? 
Why? 

What  additional  support  will  be  needed  when 
implementing  each  activity  (e.g.,  funding,  commitment  of 
staff,  sponsorship)? 

!— - - -  ”T 

TBD  -  Responsibility  must  be  assigned  by 

MedSite's  senior  management  team. 

MedSite's  senior  management  team  must  sponsor 
this  activity. 

MedSite's  senior  management  team  and  the 

Training  Department  manager 

Updating  the  content  of  security  awareness 
training  requires  commitment  and  funding  from 
senior  management.  It  will  also  require  a 
commitment  from  MedSite's  Training 

Department. 

MedSite's  senior  management  team 

MedSite's  senior  management  team  must  sponsor 
this  activity. 
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Next  Steps  Worksheet 


16  Next  Steps  Worksheet 


Step  30 
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Step  30 


Management  Sponsorship  for  Security  Improvement  . .  .  .  _ 

What  must  management  do  to  support  the  implementation  of  OCTAVE-S  results? 

Consider: 

•  Contribute  funds  to  information  security  activities. 

•  Assign  staff  to  information  security  activities. 

•  Ensure  that  staff  members  have  sufficient  time  allocated  to  information  security  activities. 

•  Enable  staff  to  receive  training  about  information  security. 

•  Make  information  security  a  strategic  priority. 

MTF  management  must 

-  allocate  funds  to  implement  the  mitigation  plans 

-  make  information  security  a  strategic  priority 

All  functional  managers  must  ensure  that  staff  members  have  sufficient 
time  to  participate  in  any  security-related  activities  to  which  they  are 
assigned. 
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